Reputation: 448
Public Google Apps Script - how can I make my API key hidden but still retrieve it?
I have a script that retrieves a webhook (meaning it has to be deployed as a publicly accessible App), and then uses an API to send a message.
The API requires using a key and secret, which I obviously don't want accessible to the public.
Q1: Is there a way to hide an API key/secret in another script and somehow have it accessible?
(Or any other similar solution - doesn't have to be fancy, just functional/safe).
Alternate Question:
Q2: What can a stranger actually see in my public Apps Script project? The full code? If I hide keys in a functions with an underscore ie. function name_(){}, can they read it?
IMPORTANT INFO: I have not 'shared' the project or spreadsheets with anyone, they're still private. But I've 'deployed' the Web App with permissions for 'anyone'. I assume that means anyone can access?
Upvotes: 0
Views: 2119
Answers (2)
Reputation: 83
My project meet this issue, too. Because the amount of functions is not too much , So i hide my main GAS behind an dummy one . So far I had 2 GAS
- the main GAS with key , and all functions , and I deploy it as Web APP Of cause u need doGet or doPost to do as entrance of API
- The dummy one to share with users.
Then you can call something like below in dummy GAS
var url = 'https://script.google.com/macros/s/xxxxxxxxxxx/exec';
UrlFetchApp.fetch(url,{'method': 'get'});
I hope its useful in your case.
Upvotes: 0
Reputation: 2140
Everything in the script is visible to whoever has access (script owner, workspace admins, added users). Unless only the url of the webapp is shared and if the script itself is not shared then they are not able to access the script, so technically you can still keep them in your script. It is safe there and only the owner and workspace admins (if it is for Google workspace) can access it.
A way you can store/save the key is by storing it in script properties. Doing this you only need to run the script once to store the API key, moving forward you can remove the API key from the script and it will still run: https://developers.google.com/apps-script/guides/properties#saving_data
Also refer to this post for more information, in my posted answer I have also provided alternatives and reference links: Is it safe to put in secrets inside Google App Script code?
Upvotes: 1
Related Questions
- What is the appropriate way to manage API secrets within a Google Apps script?
- Securely Storing API Secrets used in Google Apps Script - Published Library
- Is there any place or way to store private key in google app script?
- How to Hide Google API Key And Still Use It
- Can Google Sheets Add Permissions for API Key Access?
- Securing a "Google Sheet Web App" API with a KEY / Password / Secret word
- Hiding an api key, php
- Keep API Key Hidden in WordPress Plugin
- Google Web App to Hide my private Information
- How do I hide a single sheet, in google spreadsheets, using google-spreadsheet-api?