Encrypton of hidden data on Plugins

Is there a difference between Secret and Hidden for Parameters on plugins aside from the fact it’s hidden on the app itself?

2 Likes

Good question, we would like clarity on this aswell

The documentation says Hidden parameters are for the plugin builder, and won’t be exposed to the user that uses the plugin. For instance, it can be an encoding type, etc.

But that isn’t completely clear about if it’s processed client-side or server-side.

2 Likes

A hidden key’s value is visible in the Bubble’s script.
A private key’s value is not visible. You can access this value only in the API connector and server-side actions.

Please have a look at the following video:

In the example above, there are two parameters:

  • name: hidden_key; value: find_me_i_am_a_hidden_key;
  • name: secret_key; value: find_me_i_am_a_secret_key

The find_me_i_am_a_hidden_key is available and the find_me_i_am_a_secret_key is not in the script:
https://dhtiece9044ep.cloudfront.net/package/run_js_page/e54a66b640d6169b814e7d6c251f7064a4de8eb53b9f5e3aec68f2e0d759c2dc/testing-keys/test/index/xnull/xfalse/xfalse/xfalse/en_us/xfalse/xtrue

1 Like

In an effort to clarify things a bit more (due to the rather confusing Bubble terminology)…

Between the parameters on the API calls tab and the keys on the Shared tab, there are actually 4 labels (types) that reference visibility: Public, Hidden, Secret, and Private.

As best I can tell, Hidden simply means that it’s not exposed to the Bubble developer via the UI, but it’s still discoverable client-side (as @lottemint.md’s video depicts). IOW, it’s needed only by the plugin developer, so simply don’t bother the Bubble dev about it (but it’s not sensitive).

Secret and Private both seem to mean the same thing - i.e. that the value is not discoverable client-side (is kept on the server) and is therefore suitable for information that should be kept secure.

UI Location Type Secure
API calls Tab (parameters) Public No
API calls Tab (parameters) Hidden No
API calls Tab (parameters) Secret Yes
Shared Tab (keys) Public No
Shared Tab (keys) Private Yes

If anyone knows any different, please let me know.

-Steve

5 Likes

Just to clarify furthermore here.

Does it mean that there are no ways to securely hide Credentials in Shared Tab in a Client-Side Action ?

Yes you can, using privacy rules and loading the credentials from the database =)

1 Like

Could you elaborate on how one would start about doing this?

  • Save the key in your database
  • Apply privacy rules
  • Execute workflow by doing a search for the key
  • avoid using option sets
2 Likes

What do you mean exactly by “execute workflow by doing a search for the key” could you give an example?
Thanks in advance!

Sorry Armando,

My hands are really tied at the moment, I recommend you to lookup on the Bubble courses on how to handle dynamic data within Bubble and you should be set to go. If you’re unsure after that, you can always create a new topic and reach out to the community :+1:

1 Like

Hi,

How is this being handled today? I can’t see those (secret, private, hidden, public) labels anymore.

Is this access token private?

OVT

If not, how can I make it private?

Thanks!