Keep API Key secret
complete
M
Maxime Beugnet
I am using an external API Key which I stored in my Stitch Values and I also use a public Github repository to save my project.
Just like my Google Auth Token and Twilio Token are secrets, I would like to keep this API Key secret from the stich-cli import/export feature.
At the moment, the only workaround available is to override the "values/my_value.json" file with a dummy API Key every time I do a stitch-cli export so I can hide the real API Key value and avoid sharing it publicly.
Drew DiPalma
marked this post as
complete
Hi Folks – With our latest release we now have the concept of 'Secrets' within Stitch. These will allow you to work alongside values with sensitive details such as API Keys.
Documentation: https://docs.mongodb.com/stitch/values/
Bertrand THOMAS
I think it's ok now, we can store the secret value in "Secret" and reference it in the Value. Just did it and it's as I was expected!
Drew DiPalma
Merged in a post:
Access restrictions on Stitch Values
S
Sander van Loo
I have a use case to store sensitive information in a Stitch Value (e.g. an authorization token) required to communicate with an external service. I'd like to ensure that regular application users cannot access those Values.
Drew DiPalma
Hi Sander – While we don't allow Stitch Values to be accessed via SDK, we are also working on an additional improvement to help hide sensitive values like API keys.
M
Maxime Beugnet
Awesome, thanks Drew!
Drew DiPalma
marked this post as
in progress
We have started broader work on improving code deployment that will also cover this functionality.
Drew DiPalma
marked this post as
planned
Hi Maxime – We are in the planning stages of an improvement that will address this.