This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best Practices for Storing and Managing API Authentication Tokens

Go to solution
dawidleman
Deputy Chef I
Deputy Chef I

a month ago

Hi,

I am currently working on a project that involves integrating with an external API, and I've encountered a challenge regarding the storage and management of authentication tokens. I've implemented a common function that checks if the token exists in lookup tables, verifies the token expiration date, and fetches a new token if the old one has expired, in the same time updating the lookup value. Note that the token value needs to be passed in the Authorization header and it's expiration date currently is around 1 day - therefore the need for a "refresh" function. We don't want to fetch new token with every call.

The problem I have with that solution is that the token value is exposed to everyone (with role access) in the lookup tables view as well as in the job logs.

Is there a better solution/best practices in Workato for such cases?

Cheers!

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
manojksurisetty
Deputy Chef II
Deputy Chef II

2 weeks ago

Absolutely right to be cautious about storing sensitive token data in lookup tables, especially when visibility and job log exposure are a concern. A more secure and recommended approach in Workato is to use a combination of Encrypted Project  Properties and the Workato Developer API. Here's how you can implement it:
 
Recommended Steps:
 
1. Use Encrypted Project Properties
   Store your access token and expiry securely using project-level properties (set_project_property / get_project_property actions).  These values are:
  a. Encrypted at rest
  b. Hidden in the UI once saved
  c. Not exposed in job logs
 
2. Use the Workato Developer API
        Programmatically read or update these properties securely via Workato’s Project Properties API. This is useful if token refresh          logic is handled outside of Workato or needs to be triggered externally.
 
This Is Better:
     1. Keeps token values fully hidden from users and logs.
    2. Eliminates the need to store tokens in lookup tables.
    3. Offers centralized, secure, and reusable token management.
 
While it adds a bit of initial setup effort, it greatly improves security and long-term scalability.
 
Quick Note: Instead of embedding refresh logic in every flow, centralize token management using a helper recipe or an external scheduler that updates the project property. Recipes calling the external API only need to read the current token securely, simplifying the logic and improving maintainability.
 
please let me know if this helps. @dawidleman 

View solution in original post

3 REPLIES 3

Go to solution
1dheeraj2
Deputy Chef III
Deputy Chef III

a month ago - last edited a month ago

Hi @dawidleman ,

I had a similar issue with one of my integrations. What I did was use Workato's encrypt function to encrypt the newly generated token and then stored it in a lookup table. Please note, this encrypt function requires an encryption key to perform the encryption. We have put an encryption key in the system property, which is hidden. So, when you want to use the access key from the lookup table, use the decrypt function along with the environment property.

Although this way the data is still exposed, it is encrypted. If someone wants to breach the data, they would need to decrypt it technically. Also, make sure to mask the steps where you are decrypting the data so it won't be visible in the job within the Refresh window.

Please let us know if you find a better solution.

0 Kudos

Go to solution
manojksurisetty
Deputy Chef II
Deputy Chef II

2 weeks ago

Absolutely right to be cautious about storing sensitive token data in lookup tables, especially when visibility and job log exposure are a concern. A more secure and recommended approach in Workato is to use a combination of Encrypted Project  Properties and the Workato Developer API. Here's how you can implement it:
 
Recommended Steps:
 
1. Use Encrypted Project Properties
   Store your access token and expiry securely using project-level properties (set_project_property / get_project_property actions).  These values are:
  a. Encrypted at rest
  b. Hidden in the UI once saved
  c. Not exposed in job logs
 
2. Use the Workato Developer API
        Programmatically read or update these properties securely via Workato’s Project Properties API. This is useful if token refresh          logic is handled outside of Workato or needs to be triggered externally.
 
This Is Better:
     1. Keeps token values fully hidden from users and logs.
    2. Eliminates the need to store tokens in lookup tables.
    3. Offers centralized, secure, and reusable token management.
 
While it adds a bit of initial setup effort, it greatly improves security and long-term scalability.
 
Quick Note: Instead of embedding refresh logic in every flow, centralize token management using a helper recipe or an external scheduler that updates the project property. Recipes calling the external API only need to read the current token securely, simplifying the logic and improving maintainability.
 
please let me know if this helps. @dawidleman 

Go to solution
gary1
Star Chef I
Star Chef I

2 weeks ago

Call me lazy, but I would just fetch a new token with every call. Problem solved!

0 Kudos
Copyright © 2025 Khoros, LLC