Achievement Unlocked: Secrets in public notebooks

You can now write secrets into your subdomain with:

For security you need to prove your uid was write access via a DNS-01-like challenge:

You can inject secret values into serverside cells, thus the secret value is never exposed to the end user of the notebook!

This enables OAuth 2.0 integrations in public notebooks and a ton more.

Just to prove how fricken’ powerful this is, I wrote the secrets API and the subdomain challenge infrastructure IN PURE OBSERVABLE CODE!!! You can see how it is all implemented yourself.

Man it was tough, the GCP SDK’s do not work in a browser context so I had to figure out how to mint an access token from a service account manually, so the serverside cells can issue security credentials. BUT IT CAN BE DONE AND IT HAS BEEN DONE.

The secrets manager API is a CRUD express router… all programmed within Observable cells. The sky is the limit!

I have updated this notebook to use login-with-comment

• Login with comment / Endpoint Services / Observable

What this means is you can now set a private secret for a public notebook in one simple step.

• Endpoint Secret Manager / Endpoint Services / Observable

If you have not seen secret manager before you can use secrets to store API_KEYS

• How To Keep an API key secret in a Public Notebook / Endpoint Services / Observable)
  or setup an authenticating proxy
• CORS Proxy fetchp / Tom Larkworthy / Observable
  or store your Oauth client_secrets
• Oauth 2.0 Client Examples / Tom Larkworthy / Observable

The latest version of webcode.run includes setting secrets in the inline dashboard, so now it’s even simpler to upload and use secrets in public notebooks. I wrote an example using airtable:-