Auth0 Home Blog Docs

What client and API credentials fields should be kept out of public config file?



In a public git repo depending on Auth0 Client and API credentials as part of an Auth0 auth solution, which, if any, fields should be kept confidential, that is, not committed in any file, but, instead, stored as deployment environment variables?


You could argue that most if not all of that information should be stored as runtime configuration and the values themselves not persisted at the source code level. However, looking at this from the perspective of what fields must be kept confidential because otherwise it would cripple the security of the system then there are some different classes of information.

Client application secrets and the signing secrets of API’s using HS256 must always be kept confidential and only available at runtime to the components that strictly need to make use of them; otherwise, the security of the system is completely void.

Then there is some information like the Auth0 domain, a client application identifier or callback URL’s, among others that are not treated as confidential information, because in some situations these will end-up being exposed just through normal usage of the system anyway. However, in security the less you expose in an easy to consume way the better so you could even consider an improvement if you did not store those value in the source code at would set those only at deploy time. In some deployments scenarios, the values would still be available to be found for a determined user, but it could still be an improvement over packaging them all at the source code level for easy consumption.