web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / PCF external services ...
Power Apps
Unanswered

PCF external services API Key/Secrets security

(0) ShareShare
ReportReport
Posted on by JasonAlmeida 96

Hi All,

 

*apologies if this has been discussed already*

 

We've seen a few PCF controls that utilise extrernal services and APIs. Skimming through some of these controls it seems like the apporach tends to be via a config parameter that takes a key/secret/url or embedded in the .ts file directly.

This is obviously a concern from a security point of view as the key could be easily accessed via developer tools or the custom control configuration. My questions:

  • Is there a better approach to defining and storing keys/secrets for PCFs?
  • Could we maybe have a secure property type that can handle this? (totally open to other suggestions btw)

Some other ideas that went through my head:

  • config entity that is queried - but this tightly couples a control to an entity
  • storing in keyvault - but this is subject to the same secret config issue and may have a performance impact

 

cheers

Jason

Categories:
Power Apps Pro Dev & ISV
I have the same question (0)
  • v-xida-msft Profile Picture
    v-xida-msft Microsoft Employee on at

    Hi @JasonAlmeida ,

    Do you want to encrypt the services API Key/Secrets security within your .ts config file?

     

    I afraid that there is no direc way to achieve your needs currently in PowerApps. As an alternative solution, you could consider add a RSA Encrypt function in your .ts config file to encrypt your services API Key/Secrets security. Then when you send request to your external service, encrypt the services API Key/Secrets security as query parameter within the request.

     

    Within your external service, you need also use same RSA Decrypt method to decrypt the encrypted services API Key/Secrets security. Please check and see if the following article would help in your scenario:

    https://stackoverflow.com/questions/46642143/rsa-encrypt-decrypt-in-typescript

     

    If you would like to get further help in this issue, please consider submit an assisted support ticket through the following link:

    https://powerapps.microsoft.com/en-us/support/pro

     

    Best regards,

  • Hemant Gaur Profile Picture
    Hemant Gaur Microsoft Employee on at
    @JasonAlmeida wrote:

    Hi All,

     

    *apologies if this has been discussed already*

     

    We've seen a few PCF controls that utilise extrernal services and APIs. Skimming through some of these controls it seems like the apporach tends to be via a config parameter that takes a key/secret/url or embedded in the .ts file directly.

    This is obviously a concern from a security point of view as the key could be easily accessed via developer tools or the custom control configuration. My questions:

    • Is there a better approach to defining and storing keys/secrets for PCFs?
    • Could we maybe have a secure property type that can handle this? (totally open to other suggestions btw)

    Some other ideas that went through my head:

    • config entity that is queried - but this tightly couples a control to an entity
    • storing in keyvault - but this is subject to the same secret config issue and may have a performance impact

     

    cheers

    Jason

    PCF is the client side framework and hence any requests made from the client will have the keys exposed to the end user via browser. Low impact keys which can be shared with the users (as they are autheticated PowerApps users) can be added via PCF properties which customizers add. For the ones which need to be shielded from end users you can use server side plugins or connectors on the canvas apps to manage the connection and make the request.  KeyValut can also be used on the server side if there is requirement to not store creds on the server. Configuration entity is another option for low impact keys. For performance the shortlived access tokens can be cached in the using setControlStateAPI.

    PCF controls do not offer authentication/SSO yet and we plan to add limited AAD auth support for embedded iFrames in next semester.  

     

    thanks,

    Hemant 

  • MJain Profile Picture
    MJain 2,450 on at

    The better idea would be to use Actions and call them from your PCF control normally the way you call them from JS. 

     

    Please refer to my control : https://github.com/mkcgphy/Azure-Maps-Get-Search-Address-TypeAhead as reference.

  • AllanDeCastro Profile Picture
    AllanDeCastro 412 Most Valuable Professional on at

    For me, there is no real best solution as we can retrieve the key in any case via fiddler or debug it.

    However, you can either insert the key into a CDS environment variable (https://docs.microsoft.com/en-us/power-platform-release-plan/2019wave2/microsoft-powerapps/new-solution-components-get-full-support) or insert the key in an input properties.

  • Diana Birkelbach Profile Picture
    Diana Birkelbach 3,072 Most Valuable Professional on at

    The EnvironmentVariables are not supposed be used for secrets, as in the current limitation is stated:

    "Not a secure store for secrets, such as passwords"

  • MJain Profile Picture
    MJain 2,450 on at

    The Environment Variable Definition and Environment Value both are entities which are recently added and this can be used to store configuration data. Agreed passwords should not be stored .

  • AllanDeCastro Profile Picture
    AllanDeCastro 412 Most Valuable Professional on at

    Yes, I know all about it very well.


    But in this case, what is your solution? 🙂

  • MJain Profile Picture
    MJain 2,450 on at

    What we did was to create an action and call it from JS. This way no where from client side the key is exposed. We used key from configuration part of plugin registration which gave us flexibility for changing depending upon environment. 

    Thanks

  • AllanDeCastro Profile Picture
    AllanDeCastro 412 Most Valuable Professional on at

    Yes, I understand that it's more secure because it's on the server side. However, it will be more difficult for you to change this key if it is hard-coded.

    I'm not sure I understand what you're doing with your action? You query the external web service and send the answer back?
    Indeed, it seems to me that it is better, but we are losing the flexibility we have to change the key.

  • Diana Birkelbach Profile Picture
    Diana Birkelbach 3,072 Most Valuable Professional on at

    You don't have to hard code the key. You could use the PlugIn "Secure Configuration" to store the key.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the January Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Haque Profile Picture

Haque 88

#2
WarrenBelz Profile Picture

WarrenBelz 85 Most Valuable Professional

#3
Valantis Profile Picture

Valantis 45

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans