SerpApi Security Basics

Overview

SerpApi uses a single API key for authentication. The key grants full account access -- there are no scoped keys or OAuth. Protect it like a credit card: never expose in frontend code, always proxy through your backend.

Instructions

Step 1: Never Expose API Key in Frontend

// BAD: API key in browser-side code
const result = await fetch(`https://serpapi.com/search.json?q=${query}&api_key=YOUR_KEY`);

// GOOD: Proxy through your backend
// Frontend
const result = await fetch(`/api/search?q=${encodeURIComponent(query)}`);

// Backend (api/search.ts)
export async function GET(req: Request) {
  const url = new URL(req.url);
  const q = url.searchParams.get('q');
  const result = await getJson({
    engine: 'google', q,
    api_key: process.env.SERPAPI_API_KEY, // Server-side only
  });
  return Response.json(result.organic_results);
}

Step 2: Secure Storage

# .gitignore
.env
.env.local

# Use platform secret managers in production
gh secret set SERPAPI_API_KEY       # GitHub Actions
vercel env add SERPAPI_API_KEY      # Vercel
fly secrets set SERPAPI_API_KEY=x   # Fly.io

Step 3: Rate Limit Your Proxy

// Prevent abuse of your search proxy endpoint
import rateLimit from 'express-rate-limit';

const searchLimiter = rateLimit({
  windowMs: 60_000,    // 1 minute
  max: 10,             // 10 searches per minute per IP
  message: 'Too many searches, try again later',
});

app.get('/api/search', searchLimiter, searchHandler);

Step 4: Monitor Usage

# Set up daily usage check
curl -s "https://serpapi.com/account.json?api_key=$SERPAPI_API_KEY" \
  | jq '{used: .this_month_usage, remaining: .plan_searches_left}'

# Alert if usage is unexpectedly high

Security Checklist

• API key in environment variables only
• .env in .gitignore
• Backend proxy for all search requests
• Rate limiting on proxy endpoints
• Usage monitoring and alerts
• Separate keys for dev/prod (if available)

Resources

• SerpApi Dashboard
• Manage API Key

Next Steps

For production deployment, see serpapi-prod-checklist.