Storing & Using User API keys

I’m trying to work out best practice for allowing users of my app to connect to their stock-keeping software.

I’m planning to save encrypted api keys on my app database. I’m not quite sure how I would then go about initiating an api call using the key.

Any tips would be appreciated!

Hi, were you able to find a way to do this?

Bubble doesn’t allow “secrets” to be stored under a seperate password (which would be nice, and I asked for years ago) so you don’t have many internal options beyond decrypting it in a workflow step.

There are quite a few external solutions, but none are particularly simple.

I ended up connecting to shopify only, creating an unlisted partner app (let me know if you need any advice on this) and storing access tokens on my database. In the end the functionality was superfluous for my needs…so went no further than that. .

How did you store the access token on the database? Encrypted?

I did but not sure that is much protection really, as you could still run as a given user from the editor?

You’re right - the Run As causes some security implications that are worth diving into depending on the regulatory environment for your app and end user expectations.

A while back, I quickly tested all of the then-available encryption plugins. One thing to be aware of is that some of the plugins I tested actually wrote the unencrypted value to the logs every time it was encrypted or decrypted – eek!

We didn’t end up finding a solution at the time, but were looking into API-based encryption providers before moving on.

1 Like

Hi everyone - sorry, I’m late to this thread. However, @jamesleese5 and others in the future - if you are looking how to securely manage sensitive API keys, please check out this post: 🚀 Strac — Securely Store Sensitive PII/PHI Data & API Keys and our website: https://strac.io

Disclaimer: I’m the founder of Strac! :slight_smile:

Hehehe, you could use my OpenPGP.js plugin to do this.

I have not found a way to get around Bubble’s automatic logging of server-side action inputs. It is a major security risk when using server-side encryption plugins. It is safe to store already encrypted data in the database, though. This means you should run user driven encryption and decryption on the browser side, and then move the data onto the server (after obtaining the appropriate consent)