No Peeking Allowed
Article
May 28, 2025
Thusan Arul & Kristian Hasselknippe
Secrets diagram

Securing your API keys

When accessing web APIs, you almost always have to authenticate your requests. This is usually done by attaching a secret API key to your HTTP request, typically as a header. These keys should be kept as secret as possible, as anyone in possession of them could access your private resources.

When creating a system for secrets management in Midio, our most important goal was to minimize the risk of your secrets ending up in the wrong hands. To achieve this, we decided that your secrets should never pass through the Midio engine unencrypted, and should only be decrypted at the latest possible moment—when they actually leave our network.

When you add a secret in Midio, it is immediately encrypted and stored in our database (see How to create a secret). All your HTTP requests pass through a proxy on their way out of our network, and only there can your secrets be decrypted.

Authentication schemes

There are various common schemes for HTTP request authentication. The most common scheme we see in the wild today is the Bearer scheme, which attaches the secret as an Authorization header with the value prefixed by ‘Bearer’, e.g., “Authorization: Bearer 'your API key'".

Our secret manager needs to know what kind of scheme you intend to use, because the proxy that decrypts the secrets must be able to convert them into the intended scheme. Until the token is decrypted, we can't assume anything about its scheme.

Using secrets in Midio

Accessing secrets in the Midio editor

Secrets can be retrieved in a Midio flow using the Get Environment Variable function. This function fetches the encrypted token from the database and stores it as an opaque value (a value the user has no direct access to) in the Midio engine.

Only certain Midio functions, including Http Fetch and Http Fetch Streamed, are able to interpret this opaque value as a secret. These functions can then unwrap the opaque value and make sure it is added as a request header before being passed to the proxy for decryption.

Editing secrets in Settings

In summary

  • Secrets in Midio are encrypted as soon as you add them in the secrets manager.
  • Secrets never pass through the Midio engine unencrypted.
  • Secrets are only decrypted at the last possible moment before leaving our network.