Hi everyone,
Nice to meet you all. Me and my business partners are building a multi-tenant facility management software and need some guidance on dynamic api keys. The structure of our app is as follows:
- main app is used to handle our marketing website and overall build of the platform.
- Sub apps are used for different companies who sign up with our platform.
- Each company can have multiple “stores” which are facilities.
- For some companies, each store will need to be able to connect their own api accounts to our system as “integrations”. This is necessary for some with no alternative.
We are struggling with trying to understand how we can allow stores to provide their own api keys and have us dynamically use them without exposing them to any user.
We know we can use OAuth but some of the api’s we desperately need to connect via private key in header.
Does running the api’s in the back end workflows solve this security issue?
We don’t have concerns about data security in regards to storing these keys, as only two of us have access to the editor and it’s completely locked down with LastPass.
Any suggestions?
Thanks!