You can’t make API keys secure if they are meant to be shared. What you should instead focus on is securing your API by rate limiting the server and suspending suspicious clients. Obfuscating the source code is not secure and makes your plugin suspicious. I would also refrain from logging messages on the server and instead use something called Diffi-Hellman-Key-Exchange. This will make sure only certain parties are able to read messages.
2 Likes