'Is there a secure way to pass API keys to an oracle in Chainlink?

I'm writing a contract (function code below) that pulls data from an API via the Chainlink GET function. I have read that Provable (Oraclize) has an option to encrypt API request parameters. Does Chainlink offer anything similar? I've been googling a lot, but haven't been able to find anything helpful so far. I'd really like to avoid sending my API key on a public chain for obvious reasons.

    function requestVolumeData(string memory apiurl, string memory jsonpath) public returns (bytes32 requestId) 
{
    Chainlink.Request memory request = buildChainlinkRequest(jobId, address(this), this.fulfill.selector);
    
    // Set the URL to perform the GET request on
    request.add("get", apiurl);
    
    request.add("path", jsonpath);
    
    // Multiply the result by 1000000000000000000 to remove decimals
    int timesAmount = 10**18;
    request.addInt("times", timesAmount);
    
    // Sends the request
    return sendChainlinkRequestTo(oracle, request, fee);
}
ethereumchainlink


Solution 1:[1]

Ideally, you'd not want to put your API keys on-chain at all, but here are your options for working with sensitive data with a Chainlink oracle.

1. Pass your API key to a node operator

This of course, this a trusted operation since you'll have to trust the node operator with your key. However, this will prevent the world from seeing your key, and the node operator can just use it on the backend.

2. Encrypt your key before you use it

You'll will still need to give the Chainlink node operators a way to decrypt the data on the back end, and this is considered less safe because you're still giving people a way to access your data, and you're putting it on-chain.

3. Make a protected API that can only be called by node operators.

So you'd run an API that wraps around another API.

4. DECO (not live yet)

There are plans to have DECO come out at some time which will help keep private data safe even from Chainlink node operators.

Solution 2:[2]

The only safe way to do this is with confidential computing. That's what we do at Verifiably.

I'm guessing Chainlink will eventually add this capability. I'm not sure why they didn't do this after their Town Crier acquisition, seemed like the natural thing to do.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Patrick Collins
Solution 2 Atul Payapilly

Related Questions

Is it possible to set up readable names to addresses using Infura?

how to get transaction history from blocks via web3?

Newbie- API to get Ethereum's latest blocks

How to get ens username using ensjs

Detect MetaMask logout (Ethereum)

UseDapp - useCall - How to get return value from Solidity function?

ERROR: brownie.exceptions.RPCConnectionError: Able to launch RPC client, but unable to connect

Solidity Error: member balance not found or not visible after argument-dependent lookup in contract

ETH ENS Web3 - How to get Registrant

How can I get a list of NFTs that I have minted?

How to connect to a deployed Polygon testnet contract?

ERROR Brownie Mainnet Fork Testing `brownie.exceptions.VirtualMachineError: revert` problem or other?

Hey Can someone explain something about this Smart contract to me - LP Staking Contract

Is there a way to handle creator earnings on several Market (Rarible/OpenSea/etc..)

I get CORS error when I try to access metadata stored on IPFS