Where/how are plugin secrets stored?

Just dotting my i’s here…for plugins like Airtable, Stripe, etc., is it safe to assume that the private key (provided in the plugin settings) never make their way to the frontend of a deployed application?

I assume these are stored on WeWeb servers?


Hi @clncsports,
you can take a look at our code plugin on GitHub
Indeed, each plugin have what we call a public and a private configuration.
Private configuration is store on our server, and is available only on the editor (so for people developing the app). They will not be available on the client side on published app.

  • Airtable key is indeed on our server, and request go through our server, as the key is needed also to make request on the published app

  • For some plugins, the private key is used only on the editor to have admin access. This allow us to list you the different endpoints. Then its not needed anymore on the published app. This is the case for Supabase: we need it on the editor to display you a nice configuration interface, but its not needed in the published app.

  • Then for some plugins, you have what we call a public key. The key is a way to identify your backend app, but it’s mean to be in front and public. In this case the key is on the public part of the configuration, because it is needed on the published app, client side. This is the case of a second key in Supabase.

1 Like

Excellent. Thank you @aurelie!