Security of Auth Tokens in Script

Hey! I’m very new to API calls and HTTP requests and I’m wondering what the best practices are when it comes to security. I’m using a script button to update a Webflow CMS item using the Webflow API. I put the Auth token directly in the script and I’m wondering if this is a mistake. Same thing for the other way, where using webflow logic, I bring form submissions into Fibery directly. I heard that people use Postman as a middle man, is this for security? Is it needed? How does it work?


If you are okay with admin access to the tokens: I use a dedicated database in a separate space for API tokens and other environment variables that my scripts use. Your script can then access these at runtime without directly exposing them in the code. Regarding Postman, that works on your local machine not on the fibery server afaik.

Additionally you could slightly obfuscate the token in your script (e.g., by converting them with a key stored in a field or splitting it into parts and combining them at runtime). This is weak security, but better than directly exposing the full token in a database field or in the script.

Okay makes sense thanks! Glad to hear I’m exposing my api key to the public. I assume the same is the case the other way? Making HTTP requests within Webflow to add entities to Fibery. The end user never sees the Auth token (in developer tools or anything)?

Oh perfect! How would one go about encrypting the token? I couldn’t find any way to do it without installing a package. Worried about storing passwords and sensitive info in Fibery due to the lack of on-server encryption.

I guess you made typo and mean “Glad to hear I’m not exposing my API key to the public”.
Also when making HTTP requests within Webflow to add entities to Fibery, the Auth token is not exposed to end users.

For encrypting tokens consider using external secret management services that provide on-server encryption.

  1. Secret Management: Use external services to store and encrypt API keys.
  2. Secure Retrieval: Server-side retrieval of keys minimizes exposure.

Some services that can do that:

  • AWS Secrets Manager
  • Azure Key Vault
  • Google Secret Manager
  • HashiCorp Vault

Example with Google Services:

  • Google Secret Manager: Store API keys.
  • Google Cloud Functions: Retrieve keys for secure API calls from Fibery to Webflow and vice versa.

To create the Fibery script, configure it to make HTTP requests to your Google Cloud Function endpoint, which will securely retrieve and provide your API key for each transaction.

I did not test this yet with Fibery but used similar setup in other tools.

I thought only a Fibery Admin user could create/edit/examine Automations/Scripts, but I can’t find that anywhere in the docs. :thinking:

If that is indeed true, then it should be safe to simply define tokens/secrets directly in a script, because an admin would also be able to see it anywhere it exists in Fibery.

1 Like

Yes, I just checked. Non-admins can’t see scripts. So that’s perfect. Thanks both!!

1 Like

Not strictly true.
Creators can see automation rules and buttons, including script actions.
They can edit buttons, but not rules.

1 Like