Including passwords and/or API keys in programs

I’m curious if it’s safe to include credentials and/or API secret keys in applications. In particular, I’m using my Thunkable app to control some IoT devices and the associated cloud service requires an API secret key. I’ve hard-coded it into my app, as I don’t want the users to be aware of it. However, I’m wondering if this creates a vulnerability wherein hackers can dismantle my app and get the key.

Thoughts? If the above practice is ill-advised, please offer a suggestion on how to address the need for the secret key.


1 Like

use the obfuscate block from the text drawer to store sensible data


@Taifun, thanks for the suggestion. I’m using iOS and it appears that block is not yet available. Until it’s available, is it risky to include sensitive data in an app or does the obfuscate just make it a lot harder to “see”?

[update] actually, I can’t find obfuscate anywhere in the documentation, even for Android

that block was added later and forgotten to add in the documentation… @thunkable
I now changed the category of your post to #iosdiscuss

Actually, my app will be both for iOS and Android in the not-too-distant future, so it’s relevant to both platforms. Thanks for your assist.

Thanks for catching this. We’ve added that block to our docs. We’ve also added it to our plans for Thunkable ✕

I can’t find the obfuscate block in Thunkable X, is it still not available?

no, it is not available.

I have made good experince with using firebase (Realtime DB) component. Everytime I need a API key or password, I catch it from Realtime DB

1 Like