If one were to store an API token in a custom state. Are these exposed?
Each thing on the client-side is exposed, including the states.
I thought so, but one of the box.com a plugins I bought demo app was doing that for some reason.
Hey @lottemint.md are these params exposed when used in a workflow?
Pretty late, I guess.
Yeah, they are exposed.
If the current user should not see a token in any case, it might help run these actions in the Backend section. There are cases when a key is a dynamic one, and you need to store it in the database - here, you can configure the key’s visibility in the Database > Privacy section.