Skip to main content

I am using supabase auth for users in my figma plugin, and it requires me to store supabase_url and anon_key. These are sensitive variables that should not go public.

 

Storing them in ui.html is not recommended as it is easily inspectable. So I researched about different approaches.

 

One way I found is by storing them main thread (code.ts) which can communicate to ui.html via post messages. Although I am not sure that this is the perfect way to conceal your sensitive variables.

 

I need help of developers building on plugin to give some insights. Thanks!

One more thing I want to know, Is main thread code inspectable using dev tools? if so is it safe to store sensitive variables?


Never store sensitive information in the plugin code. You should have your own backend or use external services.


Hey ​@tank666 ,

Thanks for replying, I have my own backend but I have made the services authorized, if Authorization is not passed in any backend service, it will not work (401 unauthorized).
I am using supabase client authorization (supabase auth) which requires supabase_url and supbase_anon_key (sensitive vars)

 

I cannot store them in backend for 2 reason (if i fetch variables from backend) -

  • my services are secure currently, I don’t want to allow any api without authorization header.
  • if I fetch these variables in frontend, it can be intercepted using dev tools.

 

If you have used any client in figma plugin how have you managed the secrets and user token?


Supabase anon key is safe to expose if I remember well, but requires RLS in the db to limit operations .if you dont use RLS then anon key became sensitive and should not be exposed .

 

 


Reply