Are electron executable's with API key/secrets in them secure?


#1

If I create an app that uses Stormpath for user authentication, I need to include a Stormpath API key and secret.

Once packaged, are those API key/secret strings safe? Could someone de-compile the package somehow and get them?


#2

No they’re not safe, it would be trivial to grab them from a packaged app. The only way to protect that information is not to put it on the client machine in the first place, which means you may need to build a server to act as a middle-man. Your server would use the Stormpath API and provide a key/secret-less API that your app would use. That’s the general idea anyway, some API providers may provide other alternatives that don’t require you to spin up your own server, but I don’t know if Stormpath does.