Sensitive Information in Custom State

court · May 11, 2021, 12:18am

If one were to store an API token in a custom state. Are these exposed?

lottemint.md · May 11, 2021, 1:13am

Each thing on the client-side is exposed, including the states.

court · May 11, 2021, 2:12am

I thought so, but one of the box.com a plugins I bought demo app was doing that for some reason.

court · May 11, 2021, 2:16am

court · May 15, 2021, 2:27am

Hey @lottemint.md are these params exposed when used in a workflow?

lottemint.md · June 30, 2021, 8:01pm

Pretty late, I guess.

Yeah, they are exposed.
If the current user should not see a token in any case, it might help run these actions in the Backend section. There are cases when a key is a dynamic one, and you need to store it in the database - here, you can configure the key’s visibility in the Database > Privacy section.