Are forge environment variables exposed to the users of application? (i.e is it safe to have api key to external api inside environment variables)

This is probably obvious, and I assume the answer is no but since this is such important thing from security perspective, I thought I 'd make sure.

My app will be contacting external api. For user I can handle this with oauth but for scheduled tasks I’m forced to store api key somewhere and send requests that way. If I add encrypted environment variable to my app and have secret information like API key there. Can people who use or install the app from the atlassian store store app access that api key or is it secure so only the forge backend and myself are able to see it?

Hey Erik,

Yep :+1: encrypted environment variables and storage.setSecret are the recommended ways to store secrets or credentials in your app.