Is there a difference between Secret and Hidden for Parameters on plugins aside from the fact it’s hidden on the app itself?
Good question, we would like clarity on this aswell
The documentation says Hidden parameters are for the plugin builder, and won’t be exposed to the user that uses the plugin. For instance, it can be an encoding type, etc.
But that isn’t completely clear about if it’s processed client-side or server-side.
A hidden key’s value is visible in the Bubble’s script.
A private key’s value is not visible. You can access this value only in the API connector and server-side actions.
Please have a look at the following video:
In the example above, there are two parameters:
- name: hidden_key; value: find_me_i_am_a_hidden_key;
- name: secret_key; value: find_me_i_am_a_secret_key
The find_me_i_am_a_hidden_key is available and the find_me_i_am_a_secret_key is not in the script:
In an effort to clarify things a bit more (due to the rather confusing Bubble terminology)…
Between the parameters on the API calls tab and the keys on the Shared tab, there are actually 4 labels (types) that reference visibility: Public, Hidden, Secret, and Private.
As best I can tell, Hidden simply means that it’s not exposed to the Bubble developer via the UI, but it’s still discoverable client-side (as @lottemint.md’s video depicts). IOW, it’s needed only by the plugin developer, so simply don’t bother the Bubble dev about it (but it’s not sensitive).
Secret and Private both seem to mean the same thing - i.e. that the value is not discoverable client-side (is kept on the server) and is therefore suitable for information that should be kept secure.
|API calls Tab (parameters)||Public||No|
|API calls Tab (parameters)||Hidden||No|
|API calls Tab (parameters)||Secret||Yes|
|Shared Tab (keys)||Public||No|
|Shared Tab (keys)||Private||Yes|
If anyone knows any different, please let me know.
Just to clarify furthermore here.
Does it mean that there are no ways to securely hide Credentials in Shared Tab in a Client-Side Action ?
Yes you can, using privacy rules and loading the credentials from the database =)
Could you elaborate on how one would start about doing this?
- Save the key in your database
- Apply privacy rules
- Execute workflow by doing a search for the key
- avoid using option sets
What do you mean exactly by “execute workflow by doing a search for the key” could you give an example?
Thanks in advance!
My hands are really tied at the moment, I recommend you to lookup on the Bubble courses on how to handle dynamic data within Bubble and you should be set to go. If you’re unsure after that, you can always create a new topic and reach out to the community
How is this being handled today? I can’t see those (secret, private, hidden, public) labels anymore.
Is this access token private?
If not, how can I make it private?