Rohit Eddy
Jul 28, 2018 · 2 min read

Apps that integrate with third-party systems usually have to make API calls to these systems to retrieve or modify data. This requires sensitive information, such as API keys, usernames, and passwords, which users enter when installing apps.

The Freshworks Marketplace platform secures all installation parameters (iparams) by taking the following precautions:

  • Encrypting all iparams before storing them in our database. The iparams are not shared with the app developer.
  • Hosting the database in the same region as your account to ensure GDPR compliance.
  • Ensuring that iparams are accessible only to the appropriate instance of the app.

Note: Ensure that all apps (including custom apps) use iparams to retrieve sensitive information so as to benefit from the aforementioned precautions.

However, if iparams are retrieved in the front-end component of the app to make API calls, then it is possible for an app user to view these parameters via the browser console. One way to avoid this is to include a serverless component and make all API requests from there. This can be achieved using server method invocation. which is a rather cumbersome workaround.

We have added support for secure installation parameters from v4.3.8 of the CLI. If you are using standard installation pages, you can mark an iparam as secure by following the format shown below.

{      
"apiKey":
{
"display_name": "Api Key",
"type": "text",
"required": true,
"secure": true
}
}

If you are using a custom installation page, you can mark iparams as secure by including them in a secure array when the app’s postConfigs method returns the list of iparams.

return {       
__meta: {
secure: ["api_key"]
},
api_key
}

Secure iparams cannot be accessed in the front-end component of the app; attempting to do so will result in an error. They have to be used in conjunction with the Request API as shown below.

var headers = {"Authorization": "Basic <%= encode(iparam.api_key) %>"};

We hope this change helps you deliver high quality apps that are compliant with the highest security standards.


Please reach out to us at marketplace@freshworks.com if you have any questions about this update. \

Freshworks Developer Platform Blog

The official Freshworks Developer Platform Blog. We cover platform updates, developer showcases, tutorials, how-tos and much more

Rohit Eddy

Written by

PM, Freshworks Developer Platform

Freshworks Developer Platform Blog

The official Freshworks Developer Platform Blog. We cover platform updates, developer showcases, tutorials, how-tos and much more

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade