Sensitive Information in Custom State

If one were to store an API token in a custom state. Are these exposed?

1 Like

Each thing on the client-side is exposed, including the states.

1 Like

I thought so, but one of the a plugins I bought demo app was doing that for some reason.

Hey are these params exposed when used in a workflow?

Pretty late, I guess.

Yeah, they are exposed.
If the current user should not see a token in any case, it might help run these actions in the Backend section. There are cases when a key is a dynamic one, and you need to store it in the database - here, you can configure the key’s visibility in the Database > Privacy section.