Best practice around storing external API tokens.

philmayfield
Kilo Contributor

‎02-18-2020 09:59 AM

I am working on integrating a few end points of our api into an incident form so our users can automatically create records on creation, or manually on update.  The UI side of things are pretty straight forward, where I'm a little hung up on is with making the api calls.  Specifically, the storage of the users API bearer token.  Our API employs the Authorization Request Header Field method, where the header includes something like:

Authorization: Bearer abc123

Where "abc123" is the API token.  I can simply add this to the header option of a Rest Message and it works, but it seems insecure to have that hanging around in plain text, and redundant if I need multiple end points.

Is there a better place to store that info?

0 Helpfuls
  • 5,845 Views
6 REPLIES 6

falcontk
Tera Contributor
In response to philmayfield

‎12-13-2022 03:32 AM

Hi @philmayfield   -Please let me know if you were able to get a solution for storing token .

Tony Chatfield1
Kilo Patron

‎02-20-2020 03:34 PM

Hi, OOB the token_recieved field may not be visible OOB on form, as normal expectation is that it will not be manually edited.
There is an OOB 'name' field on the table and it is free text and as there may be multiple token types per integration normally I would normally use the 'peer' (Application Registry) and 'type' fields fields in my token lookup
but I don't think a new 'u_name' field will cause any issues.

token_received field should be enrypted and you can probabaly decode it with something like

 var getMyToken = new GlideRecord('oauth_credential');
        getMyToken.addQuery('peer', 'myApplicationRegistry_sys_id');
        getMyToken.addQuery('type', 'access_token');
        getMyToken.query();

        if (getMyToken.next()) {

            var encr = new GlideEncrypter();
            myToken = encr.decrypt(getMyToken.token_received);

        }

0 Helpfuls