I was suggested to use the nodejs sdk to deal with hashing secret keys and such, but suddenly this turned way more complicated than it needed to be. Also, since my website uses ssl/tls, I can't even call my server because it's self-signed and would have to deal with ssl on a digitalocean droplet -- suddenly it's a bit bigger scope than I thought, so I stopped doing this.

I now need to hide my key without using node. What are my options? I have php, but there's no gamesparks php sdk. 

Can anyone give me some flow for this? Bonus points for snippets, but workflow alone would be very helpful -- google has all this obsolete info.

Cheers

or hmm... i wonder if it would be safe if i put the websparks api offsite (1 dir behind public www), as in 

gamesparks.js

   - www (public

      - index.php

       script gamesparks.js

And then i stored the key in gamesparks.js - would it be safe?

Or similarly, what if I did this:

I know it's unsafe to store the secret key for the clients to simply CTLR+U and see it,

1. I move my GS SDK 1 folder up from my public www (so gamesparks would be at ../gamesparks.js)
   
2. For the function that requests the secret key, I move it to this file that's 1 up from the www
3. I store my onNonce (with secret) function at ../gamesparks.js (non-public folder)

Is this secure?

hmm i guess you can just use a console and type console.log(secretVar) and it'll show -__- must be php it seems, or some technique i don't know