Hello everyone. I am building a forge app via custom UI that requires me to store user’s tokens safely and securely. The token is generated by calling another external API. At the moment I’m storing the token in Forge’s Storage API mostly for ease of use. For every request, I have to check whether a token exists in storage (for that particular user using a specific key) and If so attach the data as headers to the requests (for authenticated requests). But it was mentioned in the documentation that no such secrets should be stored in the Storage service. In order to overcome that I thought that I could just encrypt the user’s token before storing it using an environment variable as a salt. But unfortunately, forge doesn’t support the crypto module so I had to resort to a custom encryption algorithm. Now that the background has been set I want to ask, What is the safest possible way to store users’ tokens keeping these requirements (Forge custom UI, fast token access, and encrypted tokens ) in mind and whether or not I should abandon storing such important credentials in the Storage API completely? Thank you.
You’re in luck!
We’ve just extended our storage API to be able to store secrets.
https://developer.atlassian.com/platform/forge/runtime-reference/storage-api/#storage-setsecret
https://developer.atlassian.com/platform/forge/changelog/#CHANGE-330
2 Likes
Thank you so much. Yes that’s exactly what I was looking for. I still can’t believe that the new API was released almost at the same time I asked this question. Forge ROCKS !!!
1 Like