Storing an auth token without exposing it client side

I am working with my API CRM that requires to first generate an API key passing a client_id and client_secret and then responds with a token for future requests. I am using an API connector to send a POST request server side without exposing the client ID and secret.

Since this tokens have an expiration time of 10 days, my idea is to receive that token and store it as a hidden field value for each of the form completions (not sure if this is the best way to do so, if there is a better way please let me know so).

According to the Feathery documentation, I need to trigger the API connector through the Rule builder and so I did. The API connection seems to be working and triggered at the right time. However, the CRM API is responding to that request with the success message that includes the auth_token, and hence exposing it publicly on my browsers console.

Is there a way to avoid this? Thank you!

We’re actively working on the ability to run logic rules in a server-side context and support server-side only hidden fields. Should be out in a few weeks! cc: @andy

Thanks for the answer Peter, good to hear that. Just to be sure on my side, right now I don’t have a way to securely store an API request response into a secure field or variable correct?

If that is the case, and while that feature is still worked on, I am thinking of generating and renewing this token manually to pass it on future API requests.

However, one follow up question, is there any way to manually store it into a variable and pass that rather than hard-code the token into the Header of the API request?

I saw on the documentation the Bearer {{salesforce_token}} for example but I guess that is for existing Feathery integrations right?

Thanks for the help!

Hi, just checking in on my last reply. Thank you.

Hey there, you can also use the {{variable}} format to reference a variable into your header. You can create and use a hidden field for that purpose. Hidden Fields | Feathery Docs

Thanks Eri. I thought of this, but since I cannot store an API response into a hidden field privately, is there a way I can set this hidden field’s value manually?

Reading the documentation I did not find a way to do so.

You can set the value of hidden fields manually in the Rules.
If it’s coming from the form values, no need for a hidden field. The format {{field}} is applicable for both.