If I were to make a TC that requires the admin/moderator to input an API key as part of a theme setting, would that be safe? I know I could do a plugin which is safer, but a plugin seems like much more work.
Theme settings are available to the client JS app, so that means any visitor to your site could check the source code to see them. You almost certainly don’t want to put an API key there.
The exception would be for API keys that are designed for client-side use, and therefore aren’t a concern if anyone gets access to them (e.g. Giphy, Google Maps embeds, etc.)
1 Like
Got it. A plugin’s what I’ll go with.
Thanks!
1 Like