Or if you are less paranoid, store and retrieve it with the Java Preferences API. Encrypt it so it isn’t stored in plaintext. The User preferences should be isolated from other user’s access. If your software requires a user to authenticate in any way, use that authentication in the encryption so there are no hard coded keys in the code.
Scott > On May 22, 2020, at 7:42 PM, Daoud Abdelmonem Faleh > <abdelmonem.fa...@gmail.com> wrote: > > > Actually this has nothing to do with IDEs and am not aware of any that > integrate with such functionality. > > The general consensus for managing users secrets (API keys, Databases > credentials,...) is to use a secrets management system. > Many of the public clouds providers have this kind of service (AWS Secrets > Manager, GCP secrets manager, Azure Key Vault, ...) if you're on premises > opensource tools do exist (Hashicorp vault, Square Keywhiz). Spring framework > seems to support many of them. > Github do have a secrets scanning tool that recognize many of public APIs. > Other tools are available to scan source code for secretes and can be > configured as pre-commit hook (Yelp Detect Secrets come to mind). > > HTH, > --Daoud > >> On Fri, May 22, 2020 at 10:27 PM Alonso Del Arte <alonso.dela...@gmail.com> >> wrote: >> This is somewhat of a general Java question, but I do believe it has an >> IDE-specific component. >> >> What are the best practices for storing and retrieving API keys in Java >> programs? And what help does NetBeans offer for adhering to those best >> practices? >> >> Suppose for example that your key for an example widget API is "555EXAMPLE." >> You could certainly write "private final static String API_KEY = >> "555EXAMPLE";" and then each time you need the key, you write "API_KEY" >> where it's needed. >> >> String query = "https://www.example.com/api/q="; + sendParams + "&key=" + >> API_KEY; >> URL queryURL = new URL(query); >> HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection(); >> conn.setRequestMethod("POST"); >> // etc. >> >> But then I might forget about the API key and upload the source file to a >> public GitHub repository (maybe GitHub would alert us, but I don't know for >> sure). >> >> I suppose I could store the API key in a file or folder listed in the Git >> Ignore, and then create a class to store and retrieve API keys, but that >> would probably feel like I'm reinventing the wheel... >> >> Alonso del Arte >> Author at SmashWords.com >> Musician at ReverbNation.com
