Exploring the Use and Security of Xano's Environment Variables for API Calls

The meeting titled "State Changers - Discussing Environment Variables in Xano" began with Eddie seeking assistance regarding his business and posing two questions related to the environment variables of Xano. He observed that his environment variables were appearing in other calls that he was making and sought to determine if this was being caused by Xano's global environment variables or if there was a way to limit their visibility to specific API calls or services. He was informed that Xano's environment variables are indeed global or instance-wide, a feature designed for security. If an individual was able to download the company’s source code, they would not have access to the environment variables.


A discussion on security risks associated with environment variables being potentially available ensued. It was clarified that this was not necessarily a security issue as long as the variables were not being called from the code, a situation that would expose them in the runtime. Eddie expressed some confusion about seeing environment variables in Chrome's development tools, during calls to generate a PDF. It was suggested that this may either be a coincidence or an error in the setup. The meeting concluded with Eddie being reassured that environment variables, including those in Xano, should primarily be utilized by Xano to interact with the outside world and shouldn't be going out with the API calls. This discussion provided Eddie with a clearer understanding of the issue and enabled him to further investigate his original confusion. The keywords mentioned in this meeting were "Xano," "environment variables," and "API."


(Source: Office Hours 7/11 )

State Change Members Can View The Video Here
chris-montgomery-smgTvepind4-unsplash.jpg

View This Video Now

Join State Change Risk-Free