Storing third-party website API secret on the twitch configuration service

DarkHarmonics · August 2, 2022, 4:44am

Hello!
I’m currently in the process of making a twitch extension. This particular twitch extension would take the inputted player-specific secret API code from another website on the extension and then use it to access the websites player-specific data through GraphQL to then display on the extension. My question is, is it safe to store the inputted player-specific API code on the twitch configuration service, or do I need to set up an EBS?

To re-iterate, the only thing that would be stored on the EBS would be the third-party API code which would then be used to make queries to the website.

Dist · August 2, 2022, 7:56am

All data on the Twitch Configuration service is public, as it is not designed to be a private data store and does not have any sort of access control that would prevent malicious users. So no, it’s not safe to store things such as API keys/tokens.

DarkHarmonics · August 3, 2022, 5:59am

Hello!
Thank you for the response, so to re-iterate, any data (even just a single line-token) inputted into the twitch extension configuration tab and stored through the callback function to the twitch configuration service is vulnerable to malicious users?

BarryCarlyon · August 3, 2022, 12:13pm

Yes, it is public storage not secure storage