API Key Management
The system provides a Keyvault which is encrypted storage in the system's database.
The Keyvault is most commonly used as a place to store API credentials, like API keys and OAuth client ids and secrets.
The root admin account
The system's root admin account is the one whose Keyvault should contain all needed API credentials for publicly used apps.
The root admin account's Keyvault is accessible via the Admin Console. Alternatively, if the root admin account is signed into the assembly editor, the keyvault option under the account menu can be used:
In order to support API development on a single system where there could be independent developers who do not work for the same organization, each account also has its own Keyvault.
This is not a typical scenario. The most common scenario is that only the root "admin" account's Keyvault is used to store API keys and other sensitive information.
Developers may access their own Keyvaults from the assembly editor's account menu here:
The Keyvault dialog provides functionality to add/edit/remove items and to export/import all items in the Keyvault:
To edit an item, double-click an item in the list:
It's a good idea to use the description field to fully document how to obtain the API key or piece of information.
Accessing Keyvault values in assemblies
The Utility - Keyvault Value module is used to fetch a saved value from the Keyvault.
The most common use of the Keyvault is to store needed API credentials like OAuth client ids and secrets needed for app connection assemblies:
For extra safety, configure the Utility - Keyvault Value modules to protect their output data. See Protecting output data.
The module has a dropdown pick list to configure which account's Keyvault should be used when the assembly is executed outside of the assembly editor:
The "author" is the account that first saved the assembly, or the account that has later taken ownership of it (see Taking ownership of an assembly).
The module enforces certain behaviors depending on this setting and also where the assembly is being executed as a way to protect access to API keys and other values stored in keyvaults, as well as to facilitate development in the assembly editor.
Executing the assembly in the assembly editor
When an assembly containing a Utility - Keyvault Value module is executed in the assembly editor, the following rules apply:
- If the server being used is a development server, the selected account's Keyvault is accessed.
- If your account has the "Assembly Administrator" permission or you have used the "Switch Account" functionality to switch accounts, then the selected account's Keyvault is accessed.
- Otherwise your account's Keyvault is accessed.
Executing the assembly outside of the assembly editor
When the assembly is executed outside of the Assembly Editor, the selected account's Keyvault is accessed.
For baseline assemblies the assembly author will be the root admin account, whose Keyvault is accessible in the Admin Console.