I’m curious if it’s safe to include credentials and/or API secret keys in applications. In particular, I’m using my Thunkable app to control some IoT devices and the associated cloud service requires an API secret key. I’ve hard-coded it into my app, as I don’t want the users to be aware of it. However, I’m wondering if this creates a vulnerability wherein hackers can dismantle my app and get the key.
Thoughts? If the above practice is ill-advised, please offer a suggestion on how to address the need for the secret key.