If I create a collection using the REST API plugin and set it to make the request through a server, are my API key and endpoint hidden/secure?
I tested this by inspecting the network traffic after fetching the collection using a button that triggers a workflow. The answer seems to be yes, but I wanted to make sure.
Thanks!
I think it’s still vulnerable, it just sends the request through a proxy server to avoid CORS.
@carrano_dot_dev go to inspect elements in your browser, then go to the network tab, and then make your REST call. You’ll see exactly what the user will see in the payload and response.
Yes I did that, and the sensitive info seems to be hidden, but I’m not a security expert, so perhaps someone could still obtain the info. I’m not sure.
For example, perhaps someone could alter the call to the proxy server to reveal the endpoint. I don’t know!
There’s all sorts of crazy stuff people can maliciously do with APIs. Someone more knowledgeable will need to chime in. Can your back-end do the API calls instead?
No need to be a hackerman to do this. It’s just more nested within the payload… You can still see everything.
Yikes. I didn’t check the graphql call.
I just checked my Airtable collections and they also expose the personal access token through that call.
Weweb should be more clear about this.
There is nothing about securing the call. And it’s also been discussed on this forum more than once I think. Indeed, a flag for people in bold/red would be nice. It kinda evokes a little of “secured call” vibes.
Hello 
Yep, it’s something we added through out the user docs and in our academy but need to add inside the product as well.
We just agreed on the wording earlier this week and expect it to be live on Sept 27th 
