Best practice for an API key

I was going to start in on making something using an existing API. Anyone have any thoughts about the best way to store API keys or passwords? In the past I’ve use base64 to encode them and put them in the sql database but thats just one step above storing them as basic text.

I don’t know about “best practices” per se, but I tend to store them as environment variables on the OS

I’m not familiar with this, would it persist after a restart?

Yep, it’s a pretty solid way in my experience. You can see how to set an environment variable here.

Python also has a pretty simple way of getting an environment variable:

import os
print(os.environ['HOME'])
1 Like

Some previous discussion around this in this thread:

In general, the most important thing is to limit the scope of where you secret can possibly be read from. There’s some filesystem based suggestions in that thread that are good practice. Environment variables can work, but aren’t guaranteed to be as isolated as you might like them to be, as @pturmel points out in that thread.

Ideally, anything interacting with an API would eventually become an Ignition module - in that case, you can store them encrypted & salted in the internal DB, which is a nice bonus.

3 Likes

hrm ok thanks for the input. maybe I just won’t worry too much about it for now until its time to make it a module

If anyone’s interested in learning a bit about Java development, you can refine this proof of concept I just whipped up:

It adds a new section to the config page of the gateway that lets you define named secret values, and then (within the gateway scope) you can run system.secrets.getSecret(<name>) to retrieve the un-encoded value.

6 Likes