Strategizing Secure Token Management for Xano Integration with Coda Docs
The State Changers team meeting is discussing different architectural models for implementing temporary tokens and managing data through Xano and Coda. Some of the critical points highlighted were:
1. Proposed architecture was to place a custom function at every endpoint which checks the header to verify the token against a table for security and scoping purposes.
2. The team plans to use Xano across multiple Coda docs (which are similar to live Notion documents), pulling data into Xano and building packs around Xano to push it back out.
3. The challenge is how to manage this token. The main options being considered are using the same token across all docs or generating a unique token for every implementation of the pack for every document.
4. One potential issue is that if a team member leaves with a token potentially causing a security breach.
5. If a token needs to be changed or expired, it would need to be replaced on all documents that were using it.
6. The State Changers are considering developing a self-service model where people provision their own token, potentially requiring the building of an app for token provisioning.
7. Discussions were given about possibly using password managers like Bitwarden or OnePassword for API key management. This approach would have the user store their keys in a vault, taking some of the user strain off managing keys but introduces an extra potential security vulnerability.