Best practice to store API keys for plugins for 3.3.x PKP applications


When developing plugins that deal with third party API’s, a question that arises is how to store API keys securely.

Store those credentials as plain text into the database is not a good practice, because anyone with database access would be able to read them.

Is there a recommendation for plugin developers to deal with API keys taking this security aspect into account?

An example of use into an existing plugin would be excellent.

Thanks in advance.

Hi @pablovp,

I’ll see if our developers can weigh in on this, but in case you haven’t seen this, our API documentation here: REST API Usage Guide

I don’t know that it goes into the specific things that you are wondering about, though.

PKP Team

Thanks Roger.

I had seen the API documentation, which describes how to interact with PKP applications using the API.

On the authentication section it explains how to configure the API key.

Under the hood, a secret on the configuration file (api_secret_key) is used to generate the API key with JWT.

Seems that JWT could be used to encrypt and store plugin credentials too, using some sort of secret key (maybe plugin specific). But I wanna know if there is some recommendation for plugin developers first.

Hi @pablovp ,

I have been using custom extensions to the file.
Look at the orcidprofile Plugin for an example.

1 Like

Hi, @nweiher!

You mean for site wide configuration, right?

Oh sorry, yes this only works for site-wide configuration parameters.

1 Like

This topic was automatically closed after 23 days. New replies are no longer allowed.