What is the appropriate way to manage API secrets within a Google Apps script?

by

There is no right or wrong answer. There are numerous factors to consider:

  • If this is for/in G-Suite, then your G-Suite admins’ll have (or can get) access to anything. This may or may not be an issue.
  • If you put the data in a sheet, anyone that has read access to the sheet can see the data.
  • You can use PropertiesService but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases — like if another user is executing the code. You could use installable triggers if that is do-able for your use-case.
  • If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.

More Related Contents:

  1. Authentication versus Authorization
  2. How to properly do private key management
  3. Use App Scripts to open form and make a selection
  4. Best practices for server-side handling of JWT tokens [closed]
  5. How can pass the value of a variable to the standard input of a command?
  6. How should I ethically approach user password storage for later plaintext retrieval?
  7. How can bcrypt have built-in salts?
  8. Are HTTPS headers encrypted?
  9. Has reCaptcha been cracked / hacked / OCR’d / defeated / broken? [closed]
  10. Restrict access to a specific controller by IP address in ASP.NET MVC Beta
  11. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  12. Differences Between Rijndael and AES
  13. Why are porn sites appearing in my Google Analytics data?
  14. Declaring Spring Bean in Parent Context vs Child Context
  15. Is there any possible ways to bypass cloudflare security checks?
  16. Secure keys in iOS App scenario, is it safe?
  17. Send mail via Gmail with PowerShell V2’s Send-MailMessage
  18. Is JSONP safe to use?
  19. Using Symfony2’s AccessDeniedHandlerInterface
  20. Google App Scripts cannot be given Authorization or Permission
  21. Is it safe to enable ”Access-Control-Allow-Origin: *“ (wildcard) for a public and readonly webservice?
  22. Why not use HTTPS for everything?
  23. Where is the PEM file format specified?
  24. Difference between CSRF and X-CSRF-Token
  25. SSO with CAS or OAuth?
  26. How to send password securely via HTTP using Javascript in absence of HTTPS?
  27. My website got hacked.. What should I do? [closed]
  28. Has Hardware Lock Elision gone forever due to Spectre Mitigation?
  29. Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?
  30. Understanding CSRF

Leave a Comment