🏠 back to Observable

Secrets for published notebooks?

Secrets work really well for private notebooks. It would be great to have an equivalent for public and shared notebooks so they can also access APIs, databases, etc. Similar to config files or environment variables for typical web apps.

Forgive me if I missed something - it looks like the only way to share notebooks that use secrets, right now, is to add the recipient to our team (which then shares all our notebooks). And no solution I can see for a public notebook.

Thanks for building such a great product!

Hi @msb,

The problem is that public and shared notebooks are public — anyone who visits them would be able to read (and therefore, steal) your secret.

If you want to list a bunch of shared configuration variables, so that you can use them in many different notebooks, but they aren’t actual secrets, and you don’t mind publishing them, I would recommend simply creating a “config” notebook that you can import values from. Like so:

Then, in my other notebooks, I can:

import {PUBLIC_API_KEY} from "@jashkenas/config"

… but your overall point is still well taken. We’ll discuss adding a public version of the Secrets UI, that can be used for public and non-sensitive values.

1 Like

As a workaround for API keys you could create a proxy server on glitch.com that injects the key into the request. The key can be stored in an .env file which will only be visible to you (read more about private/public projects here).

1 Like

If you add it, please also add a big fat warning about public access of “secrets”. Many people are oblivious to the fact that anything that runs clientside (without an authentication layer) should be considered publicly accessible (e.g., I observed similar misconceptions in Nuxt.js issues).

Definitely. The difference between Secrets and Public Environment Variables would need to be crystal clear.

1 Like

Thank you @jashkenas and @mootari for the quick replies!

Totally see your point from a tech standpoint.

Just thinking out loud, here are a few product ideas that may address the need:

  1. User-level notebook sharing. For internal sharing (within my org), I’m not worried about secrets - esp if they are not readily accessible via the Observable UI - but don’t want everyone to be able to see every notebook.
  2. Rendered views. For external sharing, a static view of a notebook would be better than nothing.
  3. Server-side cells. Probably a crazy idea, but it would be awesome to have a general form of @mootari’s suggestion available directly in Observable. Rather than setting up a proxy server somewhere else, you could just tag a cell / function to run on the server. It would be writable only by the notebook author + editors and would not have access to the client-side scope. Maybe too big a hammer for this particular problem, but just an idea :slight_smile: