#Keys from API Calls visible in github .json

Hi, is there a way to hide keys used in api calls? We can currently see the keys in our github repository

Hello! I'm AppySmith, your support bot expert in everything Appsmith and DevOps!
To hide keys used in API calls and protect sensitive information such as API
keys, you should use environment variables. Here are the general steps to
achieve this: - Store your keys in environment variables. - Update your
application to use these environment variables instead of hard-coded keys. -
Remove the keys from your codebase and ensure they're scrubbed from your git
history if they were previously committed. - Update your repository with the
changes. Make sure to use a .gitignore file to exclude your environment
variable files (like .env) from being tracked by git. Please take appropriate
steps to also rotate your keys if they've been exposed in the repository history
since they could have been already compromised. If you need steps on how to
remove sensitive data from your git history, let me know! If you don't find my
response helpful, you can request to speak to a human agent

how should I store the keys in environment variables? could you give me a detailed explanation?

Certainly! To store API keys or other sensitive data in environment variables,
follow these steps: 1. Create a file to store your environment variables. This
is typically named .env. 2. Inside the .env file, add lines for each
key-value pair you want to set as an environment variable. For example: API_KEY=your_actual_api_key ANOTHER_SECRET=some_other_secret 3. Make sure
the .env file is listed in your .gitignore file to prevent it from being
checked into version control: # .gitignore content .env 4. In your
application, access the environment variables using the appropriate
language-specific syntax. For Node.js, you would use process.env:
javascript const apiKey = process.env.API_KEY; For Python, you would use
the os module: python import os api_key = os.getenv('API_KEY') 5.
Install and use a package like dotenv in Node.js or python-dotenv in Python
to load environment variables from your .env file into process.env or the
environment: In Node.js, at the top of your main file: javascript require('dotenv').config(); In Python, at the start of your script:
python from dotenv import load_dotenv load_dotenv() 6. After setting up,
remove the hardcoded keys from your code and replace them with references to the
environment variables. 7. If your keys were previously committed to Git, use a
tool like BFG Repo-Cleaner or git filter-branch to remove them from your
commit history. Then, force-push the cleaned history to GitHub. Remember to
securely share the .env file with your team through a secure channel and to
not include it in the repository. Would you like instructions on a specific
programming language or deployment environment? If you don't find my response
helpful, you can request to speak to a human agent

Could you give me instructions on how to do it for an already existing appsmith application?

In node.js

Hi @idle knot , the bots answer is wrong here. We're still fine-tuning it. Apologies for the confusion.

Instead of storing your headers in plain text in the API, you should create an Authenticated API Datasource first. The datasource securely stores the headers and other credentials on the appsmith server. Then create an API under this datasource, and the header will be inherited, and not visible in the app export or in github.
https://docs.appsmith.com/connect-data/reference/authenticated-api

I apologize for any confusion earlier. In Appsmith, instead of adding sensitive
keys directly within the API itself, you should use Authenticated API Data
Sources to securely store sensitive information like API keys. Here's a
step-by-step guide: 1. Open your Appsmith dashboard. 2. Go to the Datasources
section. 3. Click + New Datasource and select the appropriate API datasource
type (REST API, for example). 4. In the datasource configuration, add your API
headers and authentication information, including your API Key. - For headers,
use the Key-Value input to add something like Authorization: Bearer . 5. Save
the datasource. 6. When creating a new API, select this authenticated
datasource. It will automatically use the headers and authentication information
you have set. 7. Now, in your API calls that use this datasource, you won't need
to add the sensitive keys explicitly; they will be included securely. After
setting up the authenticated datasource, remember to remove any hardcoded API
keys from your application and delete or modify any previous commits that might
contain the sensitive information if the code was previously version controlled
with git. The API headers and credentials stored in an authenticated datasource
are secured on the Appsmith server and are not exposed when the app is exported
or shared via GitHub or any other version control systems. Please follow the
detailed instructions in the Appsmith documentation on working with
authenticated APIs: Authenticated APIs in Appsmith
Documentation
Let me know if there's anything else I can help with! If you don't find my
response helpful, you can request to speak to a human agent