What is the appropriate way to manage API secrets within a Google Apps script?

Question

If I write a google apps script, and within the script I need to invoke third party APIs or make database calls, what is the appropriate way of managing secret API keys and passwords?

Is there any risk in placing the secrets directly within the script if I publish the script as an API but don't share access to the Google Drive location that contains the Google Apps script

Answer 1

You can now make a library with hidden functions (using a trailing underscore) so that another script cannot remotely access the hidden functions. Simply store the credentials in a hidden function, then call that function within the library script, then reference the library script from another script.

Answer 2

There is no right or wrong answer. There are numerous factors to consider:

• If this is for/in G-Suite, then your G-Suite admins'll have (or can get) access to anything. This may or may not be an issue.
• If you put the data in a sheet, anyone that has read access to the sheet can see the data.
• You can use PropertiesService but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases -- like if another user is executing the code. You could use installable triggers if that is do-able for your use-case.
• If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.