Is it acceptable to store user-provided API keys in a public setting if the user needs to edit them?
Answer
No, it is not acceptable to store user-provided API keys in a public setting, even if the user needs to edit them. API keys should be stored securely in protected custom settings or protected custom metadata. If the user needs to edit them, you can create a secure interface or mechanism that restricts access to privileged users only. This ensures the security of sensitive data while allowing necessary modifications.
Is it acceptable to store user-provided API keys in a public setting if the user needs to edit them?
Recommended Answer Update
No, it's not acceptable to store user-provided API keys in a public setting, even if the user needs to edit them. API keys should be stored securely in protected custom settings or protected custom metadata. If the user needs to edit them, you can create a secure interface that restricts access to privileged users only. This ensures the security of sensitive data while allowing necessary modifications.
Reasoning
The answer was improved for clarity and conciseness by removing redundant phrases like 'or mechanism' and streamlining the language while preserving all original points and information. The core security guidance remains exactly the same - no public storage of API keys, use protected settings, create secure interfaces for editing. All related security rules are highly relevant: ApexSuggestUsingNamedCred directly relates to the FAQ's topic of API key storage and recommends Named Credentials over hardcoded storage. AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInVarDecls all detect hardcoded credentials in various code contexts, which connects to the FAQ's discussion of secure API key storage practices. ProtectSensitiveData encompasses the broader security principle of protecting sensitive information like API keys that the FAQ is teaching.