@BradleyFishman,
Both encrypted storage and env variables are appropriate for secrets. I think plain-text variable injection is pretty standard and safe. When you obtain secrets from the encrypted storage, those are also going to be “passed to your app’s environment as clear text”.
Before I explain the options available, I want to be clear about the language in the Forge docs:
- deploy (or deployment as a noun): The act of bundling and sending your app’s code to the Forge platform. App versions, environments, and env vars are coupled to deployment.
- install (or installation as a noun): The act of authorizing and connecting your app to a specific site. The auth and storage are coupled to installation and are isolated between them. Site A cannot see Site B’s data or APIs (at least not without some Forge Remote acting as a proxy between them).
Apps must be deployed first before they can be installed on any site.
Yes. But, from your example, I think you meant env var per installation, which is no.
In theory, you could deploy the same app 3 times, and then install each one with separate env vars. That would mean you need to use forge register
to get new app Ids, for each potential deployment, and juggle those ids for the same codebase.
In practice, this is too clever. It will make the already difficult relationship between your source code and the deployed versions more confusing. That, in turn, makes it confusing when you’ll have major versions and the necessary admin intervention to update. My team runs the Dev Assistant App, which we tried to manage as multiple deployments, and I don’t recommend it.
I recommend using 1 API key for the 1 API. Do use the env var option instead of the encrypted storage. Less configuration involving UI will be more secure; less chance to leak secrets. All 3 installations to your 3 different sites will share the same env vars and, hence, the same API key.
Refreshing on a cycle of days is a bit unexpected but simple enough with automation. Each time the secret changes, update the env vars (using the Forge CLI), and then redeploy. The change in variables won’t trigger a major version bump, which means updates happen automatically. And a simple continuous delivery pipeline should make it easy to redeploy on the rotation schedule.