Use Workers Secrets to Securely Store API Credentials

Share this video with your friends

Send Tweet
Published a year ago
Updated a year ago

In this lesson, we'll use Workers Secrets to store our API credentials for Unsplash, an image API. This will allow us to safely deploy our application and publish it on GitHub without revealing any private keys or API tokens.

Instructor: [0:00] You'll notice that we use client ID as a constant here to refer to the Unsplash API client ID that was given to us when we created a new Unsplash application. This is a public key, so it's OK to share.

[0:11] A lot of time there is stuff like secrets and user IDs and things that we don't want to have embedded in our code. The solution to that is something called Wrangler Secrets. To start, I'm going to delete this line of code.

[0:23] You'll see I'm still using this constant here, client ID, but it's not inside of my code at all. What I'm going to do is I'm going to open up my terminal and I'm going to say, Wrangler secret put client ID.

[0:35] It's important that this matches the name of the constant in our code. Client ID matches client ID. I'll press Enter and you'll see there's this information here, "Enter the secret text you'd like assigned to the variable client ID on the Script named serverless API."

[0:51] Once again, I'll paste in my CLIENT_ID. I'll press Enter. You can see it says, "Creating the secret for script name serverless-api. Success! Uploaded secret CLIENT_ID." Now, if I run wrangler publish, it successfully published my script once again to serverless-api.signalnerve.workers.dev.

[1:10] If I open it up, you can see I get this huge JSON output back, which looks a lot like what we're looking at in our terminal. It was able to successfully make an authenticated API request to Unsplash without storing our CLIENT_ID in the code.

[1:23] Although this CLIENT_ID is a public-facing key, so it would be fine for us to put in our code, often, it's good practice to take anything that resembles secrets, or API information, API keys, anything like that, and put it inside of a secret like this.

[1:38] For instance, the Unsplash API secret key, which you won't need for any of the API request that we're using in our API, definitely should be inside of a wrangler secret, because that's the kind of thing that you would never want to expose to a user.

[1:51] The last thing you need to know about wrangular secrets is that you can, of course, put new secrets into your Workers function. You might also want to see which ones are set. To do that, you can run, wrangular secret list, which would give you back a list of all the secrets you have set on your function, name, client ID, and then type is secret_text.