Best practice for secrets

David Bain · 2024-07-06T21:11:15.628+00:00

How do I manage secrets like API keys with toddle?

David Bain

1 year ago

How do I manage secrets like API keys with toddle?
Max

1 year ago

Hi! Toddle is a frontend builder, and secrets used in Toddle will be exposed in the browser. Secrets should be stored in the backend for security. While Toddle may implement a secret store in the future, it's likely intended for testing purposes. In short, keep secrets in your backend 😊
David Bain

1 year ago

🤔 and if my backend requires that I use an api key?
Max

1 year ago

A proper backend that is customer-facing should not require an API key but should work with short-lived tokens or sessions. What do you use as a backend?
👍1
10001
David Bain

1 year ago

Depends on the project. For this scenario, I'm working on a frontend for SuperSaaS's API which only offers an API key (not session-based). I may have to wrap the SuperSaaS API in an API 🤷🏾‍♂️
Tod

1 year ago

Great energy @David Bain! Your continuous contribution to the toddle Community just made you advance to Community Level 1!
Max

1 year ago

That is correct. SuperSaaS is not a backend per se. They give you limited access to their backend via an API. If you want to access this API securely, you need a backend yourself (like Xano, Supabase, Buildship, Fastgen, Directus...). If you want to get data from SuperSaaS in Toddle, you call your backend where you do authentication and the API key is stored securely, your backend calls the SuperSaaS API and returns the response to Toddle.
David Bain

1 year ago

Fair enough. I've moved to Fastgen... so now Fastgen is doing the SuperSaaS api calls on behalf of my app.
Based on what you're suggesting, the user will need to authenticate against my fastgen backend before they can "call" the "sensitive" data from my endpoints.
💪1
Lucas G

1 year ago

It has been somewhat talked about that toddle might be getting secrets management (for APIs) in the future but there is no timeline as to when those changes would happen
That said, what Max has outlined is still the optimal approach
Handle authentication on the backend is the right call
@Max
A proper backend that is customer-facing should not require an API key but should work with short-lived tokens or sessions. What do you use as a backend?
Townsend

1 year ago

Does this mean, even with Toddle as a front end, the user need to log into the server before being granted data access?
@Lucas G
It has been somewhat talked about that toddle might be getting secrets management (for APIs) in the future but there is no timeline as to when those changes would happen
David Bain

1 year ago

This would simplify things.
@Townsend
Does this mean, even with Toddle as a front end, the user need to log into the server before being granted data access?
Lucas G

1 year ago

If the data is properly secured then yes
A log in would have to happen
Unless you are just making a static or public site/app
@Townsend
Does this mean, even with Toddle as a front end, the user need to log into the server before being granted data access?
Max

1 year ago

I'm not sure I understand your question. The user won't have to login to a server directly, if that is what you mean. You need to send the credentials from Toddle to the server and receive a token in return. The user won't see that. Maybe this article from Toddle helps: https://docs.nordcraft.com
Tod

1 year ago

Great energy @Max! Your continuous contribution to the toddle Community just made you advance to Community Level 9!

Best practice for secrets

David Bain

Max

David Bain

Max

David Bain

Tod

Max

David Bain

Lucas G

Townsend

David Bain

Lucas G

Max

Tod