Delete without a key? (client-side application)


I'm running a client side application. A long time ago, before I knew much about JS and front-end dev, I had setup some wrapper around the cloudinary endpoint, so my users can upload pictures, and delete them.

While reviewing my code, I found that I use an api key in the bundled js. This is of course A Very Bad Idea. However, diving into the "destroy" method, I found that is is seemingly impossible for serverless, client-side applications to delete assets. Am I correct? Or are there possibilities (and I know of the 10-minute window you can use after uploading an asset, but that won't do, as it can be weeks, months or years later).

Lacking a direct method, how is this for an idea? Can we soft-delete assets by "tagging" them with a "deleted" tag, and then once in a while run a deleter that deletes all assest with this tag? That said, ideally I have a "real" delete.



  • Zachary
    Zachary Member, Cloudinary Staff Cloudinary Staff

    Hey there Kit, 

    Thanks for writing to Cloudinary!

    Typically you shouldn't worry about having your API key public-facing but you should be concerned if it's your API secret. 

    As for the destroy method, you are correct that there is no clientside way to accomplish this call. I think tagging them and running a deletion worker periodically could be a great idea. You might also consider some sort of date structuring so that you can delete based on that as well. 

    Please let me know if you have any questions or run into any issues in implementation. 



  • kitzeller
    kitzeller Member

    Oh... unless I'm doing something wrong, it seems that tagging too, requires an API-key / signed call.

  • I'm doing something wrong, it seems that tagging too, requires an API-key / signed call

  • Thanks for solving my problem