What is the best way to keep access keys private on client side?

I am currently creating a program which interfaces with Amazon's REST/SOAP service and Paypal's NVP service. Basically the program retrieves information from Amazon and needs to check to make sure the user has a subscription with my account on Paypal before it allows them to continue. Both of these require access identifiers which need to be kept secret. This program is going to run client side; therefore hardcoding the keys into the program would be out of the question. Correct?

What is my best alternative here? Is the only solution to create a server which all my client interactions must pass through in order to get to Amazon and Paypal? And if I was to build a server to do this what would be the most efficient way to do this?

Thank you greatly for your help in advance,
Shane.

Welcome to JavaRanch.

It's really impossible to keep anything that you install on a client's computer secret. There is always a (theoretical) possibility that a smart hacker will reverse engineer the software and find the secret key. So if security is really important, putting the secret information somewhere on the client's computer, however you encrypt it, is never going to be fundamentally safe.

One solution would indeed be to pass all the client interactions through a server, and put the secret key on the server so that it's not accessible to clients. What the best way is to do this depends on what you're trying to do exactly. You could implement web services on your server, and make the client program call those web services.

Thank you for the welcome and your quick response.

By your tone it seems that it may not be completely imperative to remove those codes from the client side. The application I am planning to release is going to have a very limited specific audience (200-2000 users). I am not completely familiar with the Paypal API currently I am researching it. I am not sure if the Paypal code that I use to determine if the client has a subscription can be used to withdrawal money from my account either, which would be a major problem. Does anyone know if this is the case?

Basically I need the program to be able to get REST generated XML documents from Amazon, and to confirm with Paypal that the client has permission to use the program at that time. Both of which allow access through a secret key.

I suppose creating a REST server that just passed values to Amazon's REST server, and could generate a REST response with Paypal's response would work. I do not currently know how to make a pass-through server like this though. I have read up on how to make it from a database, but not from scratch. Do you know of anywhere I could get more information specifically about this?

Thanks again.

By your tone it seems that it may not be completely imperative to remove those codes from the client side.

Jesper's a nice guy, and that's how he phrases things

I'd phrase it more like this: NEVER, EVER, distribute keys or access codes of yours. Sooner or later, they WILL be misappropriated. Period.

A proxy server that takes all relevant information, and then accesses the pertinent servers is the way to go. I'm not sure what you mean by creating a server from a database - it sounds as if there wouldn't necessarily need to be a database involved. All you need is a servlet container that accepts HTTP requests from the client app, accesses PayPal and Amazon as required, and sends back whatever results the client app needs as the HTTP response. You could use a REST toolkit for this, but that's not mandatory as I see it. (You may want to log all accesses along with the relevant data, IP address and user information, so that you have a record of what's happening.)

Thank you once again. You guys are amazingly helpful.