Web API keys on thunkable is secure?

Is it safe to put a Web API key inside Thunkable, as shown below?

Is there someone who can open the APK, for example, and see which Keys for my Web API? If this is dangerous, what is the best way to pass the keys to the URL?



Secure data storage requires encryption. If the data is not encrypted (and it is not encrypted in your block), then you can get this data if you are very willing and able. Another question is, who needs your app? If your app contains a list of names of students from an unknown school, then I think that getting this kind of information from other people will not cause any harm. If your app contains Bank account data, then you need to protect this information very well. I think you understand that data protection measures must be adequate to their value and the consequences that can occur if other people have access to them.

Hey @actech, so how would you approach this? One would usually just paste the entire API URL in the URL field of the API block but that would reveal the API key, right? So let’s say I have an API key I pay for to retrieve the weather from an online service. How would you protect that API key in your app? Would adding it under “QueryParameters” or “Headers” make any difference?



If I needed protection, I would use Firebase, where I could read the API key value after logging in to my account.

@actech argh… not an option in some cases… anyone else has an ingenious approach to this issue?

What do you mean? Do you want to store the key locally?

@actech, do you say to use firebase to read only the key?

@actech yes, I would like to have the key stored locally but in an encrypted format which would not be readable by someone opening the APK or IPA or intercepting the API request traffic with a packet sniffer.

I named an option that is clear to most users. If you know how to program, then you can use encryption using server or client scripts and, for example, store the API key encrypted in HTML Local Storage.

If you know how to work with HTML Local Storage and JavaScript, then you can try this way.

Another example is to place a php script on a paid or free hosting that will return the key if the correct login data was sent to this script

In my app my users do not log in. Could I use firebase and log in all users with a default password just to get a API Key?

But with the data was stored in app without encryption, we will be the same problem, no?

I don’t understand your question. Do you want all users to have the same key?

Strictly confidential data must always be encrypted or placed in the database on a personal account, but this option is less reliable, because if the database is hacked, the hacker will see the data in unencrypted form.

Secret information is encrypted in this line. If you want to try to decipher it? Hint: md5 encryption is used here


You ask, because of one key to create Farabase? If you know any other database where you can create personal accounts and that Thunkable X works with, then use It. I don’t know any such databases.

This isn’t the first time we’ve talked about security, but this question doesn’t make sense when applied to Thunkable X. Special services are used to store confidential data, but instead users try to make a safe out of wooden planks, put it at home and hope that no one will break it.

I repeat, you don’t need to go into a mindless panic. Microsoft, Apple, and many others spend millions of dollars on data protection, and they do not always succeed. Do you want to spend the same amount of money? Then use a free database and store your data in it.

On my app, no exist users account. Is a free app. They using without a login and password.

I just want encrypt my api key. Whats the most secure to do that?

If you need a key for yourself, then why do you need to store it in an app that you are going to distribute to users?

For my app to work, it fetches product data from my Woocommerce/wordpress. So, I need that when starting the app, it gets the data via api, understand?