I am using supabase auth for users in my figma plugin, and it requires me to store supabase_url and anon_key. These are sensitive variables that should not go public.
Storing them in ui.html is not recommended as it is easily inspectable. So I researched about different approaches.
One way I found is by storing them main thread (code.ts) which can communicate to ui.html via post messages. Although I am not sure that this is the perfect way to conceal your sensitive variables.
I need help of developers building on plugin to give some insights. Thanks!