Do secure variables exist in LUA?

Hi,

I just want to know, if there is a way to keep special variables (like API keys) hidden.

I know clients can’t access the ServerScriptService from a client, but the problem is that because my secret variable will be distributed in a plugin, it can’t be hidden from the developers using it.

For example:

  • I have a Firebase server
  • I want to make requests to the server from a plugin I’ve made
  • I don’t want anyone knowing the key (script obfuscation isn’t an option, it can be reversed)

Any help is appreciated!

2 Likes

The only thing I can think of would be to use some sort of in-the-middle REST api. You can then either have the REST API public or issue individual API keys to each valid user of the plugin.

1 Like

Hmm… I did not consider that option. Seems great. I just have one question, what if wanted every player of the games that use my plugin, to be able to use it’s functions?

Like, it is not just meant for in Studio use, but rather to setup everything for an in-game type of thing?

I’m a bit confused about what the set up would be / what exactly the plugin is meant to do. As I understand it you want your plugin to insert scripts / other things into a place and then those scripts do something with your firebase server?

1 Like

You could use a hexadecimal value to hide the api key if its a string but that could easily been undone. This may be against roblox TOS though under the obfuscation work.

1 Like

Well, sorry about the confusion here. The plugin can be forgotten about. I just wanted to know if it was possible to hide a variable such as API key from a user, exploiter, developer, designer etc. Basically anyone else, but me.

Although now that I think about it I am beginning to understand the complexity of this thing. I’m not sure if it’s possible anymore.

Could work, but yes, the obfuscation can be reversed.

It is very difficult to do so on a script that isn’t even the source code. Luau decompilers can only be so accurate, and most of the time it fails to produce a working clone for an already obfuscated code because of what those obfuscators do to the script environment

1 Like

The typical answer to this sort of question is no, you can’t hide keys from a user. The general rule is if it is on their machine in any way then they can access it.

Another option I thought of (although not fully thought through) is encrypting the API key and then having the encrypted version in the code. This probably defeats the purpose of distributing the key in the first place though as at some point it will need decrypting to make requests.

2 Likes

Well, thanks anyways. I always wondered if something like this was possible. Maybe something will come up in the future. :slight_smile: