Today, we’re making significant updates to the HttpService’s Secret Manager interface in Studio! Secret Manager is a critical tool that helps protect your API keys when interfacing with external services. Our new Secret Manager interface is now clearer in how you create, edit and removal of your secrets and values.
Key Features
With this update, we’re seeking to resolve reliability and usability issues in the Secrets manager feature:
Individual Entries: Secrets may now be managed as individual entries as opposed to all secrets stored together as a single JSON string.
Input Validation: Individual fields now have their own respective checks, thus reducing risk of error inputs.
Clearer Instructions: Revamped the written instructions to be easier to understand and reduce error inputs.
Note: Secrets are stored locally on your device and are available in local Playtest mode. To use secrets in Team Test or in a live game, please set them on Creator Hub
Will there ever be an option to let a role or user edit secrets for a game when not an owner, i do not own the group but i manage secrets for handling game to private server info, and having to dm the owner each time i need a change or setting fix to handle changes is quite annoying
please consider it stronger, as large scale studios with several teams over many games have to eat the bandwidth of management to add a single API key when this should be an easy permission toggle.
we can already get permission to create our own Cloud API keys but we cannot fully utilize that freedom without also being the group owner to make our products/features work with HttpService Secrets like you want it to
Probably never, since doing so would require the value of the secrets to be stored within the file to work. Seems counter-intuitive to the point of the feature, lol.
It’s an extra layer of security in the event that your source code gets leaked. Certain strings may be incredibly dangerous in the wrong hands, such as a Discord webhook URL that posts to a public channel. An evildoer with this level of access could cause a lot of damage in a short time (especially since, at least on Discord, webhooks can mention everyone). If your source code gets leaked in this example and you are using Secrets, your Discord webhook won’t be exposed because it is stored on Roblox’s backend server rather than within your source code directly. Discord is just one example, there’s plenty of services that use tokens for authentication.
Additionally, larger game studios may have developers that should not have access to sensitive information, even though there is a higher level of trust. It grants more modular control over who has access to what in a development team.
Interesting, I haven’t been following much on the Open Cloud API progress, but it seems like a strange setup that you can’t use them without Secrets? Unless I’m misunderstanding something, feel free to correct me
Wait I didn’t even know local secrets existed. I’ll read the documentation but I assume if a creator hub and local secret have the same name (for convenience) it will use the local copy?
Pretty sure if they really wanted to seriously consider implementing it, they could store the secrets separately to the file and just have the stored one reference some unique identifier for the file. It’s not like there aren’t a variety of creative solutions that would solve the problem you proposed.
Would it be possible to allow us to use Secrets while in Edit mode and not published? My use case is copying user data from production for local testing, but I really don’t like how I have to set my Universe and Place IDs to prod and then set them back to zero.
