Search code examples
velocorvid

How do I keep secret API keys on a Wix Corvid site?

I have a Wix site with Corvid (aka "Dev mode") enabled. My backend code uses some API keys to connect to Twilio. I use local mode to edit my code, and I check it into git. For obvious security reasons, I want to keep the API key out of my code.

The usual solutions like keeping my secrets as environment variables do not apply because I have no access to the environment at Wix.

Solution

  • Corvid has a secret manager that serves that need. Add your secret key (e.g. meaning_of_life to the secret manager, import the getSecret at the backend, and retrieve the relevant value at run time without having 42 (oops!) anywhere in your code.

    Backend

    import {getSecret} from 'wix-secrets-backend';

export async function meaning_of_life(factor1, factor2) {
    const mySecret = await getSecret('meaning_of_life');
    return mySecret;
}

    Frontend

    import {meaning_of_life} from 'backend/backend.jsw'

$w.onReady(async function () {
    console.log(await meaning_of_life())
});

    Site Preview

    enter image description here