Custom Connectors - Environment Variables for API Token/Key

Hi everyone,

I am currently looking at building a Custom Connector. I want it to be 'solutionised' so am designing it to avoid having hard coded values in the Custom Connector itself, instead offloading these to Environment Variables.

I have successfully added an Environment Variable for the Host parameter in the General Information section. This shows up and works fine in Section 3: Definition, in the 'Request' section.

For the API I'm using, it is a requirement that the API Token is provided in the Header of the request to the Endpoint, as shown in the below screenshot:

When the 'X-API-Token' Header property is 'Edited', it shows up like this:

When the Custom Connector is added to the Flow, in Edit mode, the requirement for the X-API-Token shows as designed, in the Action, as below. However, this requires the user to provide their API Token in plain text, which is then stored within the Flow. If the Flow was shared with other users, etc, this would be problematic, and I'm aware it's not best practice to store 'Secrets' in plain text anyway.

I'm therefore wondering what the best practice is to request and securely manage the user's API Token.

Does anyone know if an Environment Variable can be used in the 'Headers' section of a 'Request' part of a '3. Definitions' configuration of a Custom Connector? In classic Microsoft-style, the documentation for this is very unhelpful, as it says: "
Currently, environment variables aren't supported in actions, triggers, or policies." Well, the Environment Variable that already works successfully for me is showing in the Request section of the Action in the Definition section, so theoretically that is an Environment Variable within an Action.

If an Environment Variable can be used in the 'Headers' section of a 'Request' part of a '3. Definitions' configuration, my thinking was to use the 'Secret' Environment Variable type, and leverage Azure Key Vault to store the API Token. This would then not present the requirement to the user to add their API Token in the action in the Flow. I imagine this would work by setting the Default Value to the Environment Variable, and then the Visibility to 'internal' as the user does not need to manipulate anything.

I've not used Azure Key vault before, so before spending a lot of time on this, can anyone confirm if this would work, and is best practice, or if not, any other secure alternatives to this?

Thank you very much!

Categories:

Authentication

Quick Links