Use Workers Secrets to Securely Store API Credentials

Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 4 years ago

In this lesson, we'll use Workers Secrets to store our API credentials for Unsplash, an image API. This will allow us to safely deploy our application and publish it on GitHub without revealing any private keys or API tokens.

Instructor: [0:00] You'll notice that we use client ID as a constant here to refer to the Unsplash API client ID that was given to us when we created a new Unsplash application. This is a public key, so it's OK to share.

[0:11] A lot of time there is stuff like secrets and user IDs and things that we don't want to have embedded in our code. The solution to that is something called Wrangler Secrets. To start, I'm going to delete this line of code.

[0:23] You'll see I'm still using this constant here, client ID, but it's not inside of my code at all. What I'm going to do is I'm going to open up my terminal and I'm going to say, Wrangler secret put client ID.

[0:35] It's important that this matches the name of the constant in our code. Client ID matches client ID. I'll press Enter and you'll see there's this information here, "Enter the secret text you'd like assigned to the variable client ID on the Script named serverless API."

[0:51] Once again, I'll paste in my CLIENT_ID. I'll press Enter. You can see it says, "Creating the secret for script name serverless-api. Success! Uploaded secret CLIENT_ID." Now, if I run wrangler publish, it successfully published my script once again to serverless-api.signalnerve.workers.dev.

[1:10] If I open it up, you can see I get this huge JSON output back, which looks a lot like what we're looking at in our terminal. It was able to successfully make an authenticated API request to Unsplash without storing our CLIENT_ID in the code.

[1:23] Although this CLIENT_ID is a public-facing key, so it would be fine for us to put in our code, often, it's good practice to take anything that resembles secrets, or API information, API keys, anything like that, and put it inside of a secret like this.

[1:38] For instance, the Unsplash API secret key, which you won't need for any of the API request that we're using in our API, definitely should be inside of a wrangler secret, because that's the kind of thing that you would never want to expose to a user.

[1:51] The last thing you need to know about wrangular secrets is that you can, of course, put new secrets into your Workers function. You might also want to see which ones are set. To do that, you can run, wrangular secret list, which would give you back a list of all the secrets you have set on your function, name, client ID, and then type is secret_text.

egghead
egghead
~ just now

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today