Skill

serpapi-security-basics

Secures SerpApi API keys via backend proxies, rate limiting, env storage, and usage monitoring to prevent exposure and credit abuse.

Typescript

Javascript

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin serpapi-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteGrep

Preview

SerpApi uses a single API key for authentication. The key grants full account access -- there are no scoped keys or OAuth. Protect it like a credit card: never expose in frontend code, always proxy through your backend.

SKILL.md

Similar Skills

serpapi-rate-limits

1.9k

Manages SerpApi rate limits and credits with monitoring, Python/Node.js throttling, and cached search retrieval to optimize API usage.

3 tools

serpapi-pack

exa-security-basics

1.9k

Secures Exa API integrations: manages keys with env vars and validation, enables content moderation, filters domains, and sanitizes queries in TypeScript.

3 tools

exa-pack

firecrawl-security-basics

1.9k

Secures Firecrawl API keys with env storage, prefix validation, gitignore; verifies webhook signatures via HMAC-SHA256; separates keys per env. For Node/TS integrations.

3 tools

firecrawl-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SerpApi Security Basics

Overview

Instructions

Step 1: Never Expose API Key in Frontend

// BAD: API key in browser-side code
const result = await fetch(`https://serpapi.com/search.json?q=${query}&api_key=YOUR_KEY`);

// GOOD: Proxy through your backend
// Frontend
const result = await fetch(`/api/search?q=${encodeURIComponent(query)}`);

// Backend (api/search.ts)
export async function GET(req: Request) {
  const url = new URL(req.url);
  const q = url.searchParams.get('q');
  const result = await getJson({
    engine: 'google', q,
    api_key: process.env.SERPAPI_API_KEY, // Server-side only
  });
  return Response.json(result.organic_results);
}

Step 2: Secure Storage

# .gitignore
.env
.env.local

# Use platform secret managers in production
gh secret set SERPAPI_API_KEY       # GitHub Actions
vercel env add SERPAPI_API_KEY      # Vercel
fly secrets set SERPAPI_API_KEY=x   # Fly.io

Step 3: Rate Limit Your Proxy

// Prevent abuse of your search proxy endpoint
import rateLimit from 'express-rate-limit';

const searchLimiter = rateLimit({
  windowMs: 60_000,    // 1 minute
  max: 10,             // 10 searches per minute per IP
  message: 'Too many searches, try again later',
});

app.get('/api/search', searchLimiter, searchHandler);

Step 4: Monitor Usage

# Set up daily usage check
curl -s "https://serpapi.com/account.json?api_key=$SERPAPI_API_KEY" \
  | jq '{used: .this_month_usage, remaining: .plan_searches_left}'

# Alert if usage is unexpectedly high

Security Checklist

API key in environment variables only
.env in .gitignore
Backend proxy for all search requests
Rate limiting on proxy endpoints
Usage monitoring and alerts
Separate keys for dev/prod (if available)

Resources

Next Steps

For production deployment, see serpapi-prod-checklist.