Settings & Secrets
Configure your API with settings for public configuration and secrets for sensitive credentials.
Custom Settings
Settings are simple key-value pairs accessible via the API. Use them for application configuration that doesn't need to be secret.
Creating Settings
- Go to Settings → Custom Settings
- Click Add Setting
- Enter a key and value
- Save
Accessing Settings
Retrieve settings via the _settings endpoint:
GET https://eu.restapi.com/my-api/_settings
Response:
{
"featureFlags": "dark-mode,beta-features",
"maxUploadSize": "10485760",
"supportEmail": "support@example.com"
}
Use Cases
| Use Case | Example |
|---|---|
| Feature flags | enableNewUI: true |
| Configuration | maxItemsPerPage: 50 |
| Public values | companyName: Acme Corp |
| Environment settings | environment: production |
Settings are not encrypted. Don't store sensitive data like passwords or API keys here. Use Secrets instead.
Secrets
Secrets are encrypted credentials that can only be accessed by functions. They're never exposed via the API.
Creating Secrets
- Go to Settings → Secrets
- Click Add Secret
- Enter a key and value
- Save
Security Features
- Encrypted at rest — Values stored securely
- Hidden by default — Values shown as asterisks
- Function-only access — Cannot be retrieved via API
- One-way storage — You cannot retrieve the original value
Using Secrets in Functions
- When editing a function, select which secrets to inject
- Access them via the
secretsobject:
const apiKey = secrets.STRIPE_API_KEY;
const webhookSecret = secrets.WEBHOOK_SECRET;
await fetch('https://api.stripe.com/v1/charges', {
headers: {
'Authorization': `Bearer ${secrets.STRIPE_SECRET_KEY}`
}
});
Use Cases
| Use Case | Example Key |
|---|---|
| API keys | STRIPE_API_KEY |
| Database credentials | DB_PASSWORD |
| OAuth secrets | GOOGLE_CLIENT_SECRET |
| Webhook secrets | WEBHOOK_SIGNING_SECRET |
| Encryption keys | ENCRYPTION_KEY |
Never log secrets or include them in error messages. They should remain hidden.
Service Connections
Service connections define how to authenticate with external services.
Creating a Connection
- Go to Settings → Service Connections
- Click Add Connection
- Configure:
- Name — Identifier for the connection
- Auth Method — OAuth2Token, APIKey, or custom
- Auth URL — Authentication endpoint
- Request Fields — Parameters like client_id, client_secret
Use Cases
- Standardize how functions connect to external APIs
- Centralize authentication configuration
- Simplify function code
Web App Settings
Configure your hosted web application.
General Settings
| Setting | Description |
|---|---|
| Web App URL | Your application hostname (.restapi.cloud or custom domain) |
| Login URL | Direct link to hosted login page |
Login Customization
Brand the login experience:
| Setting | Description |
|---|---|
| Logo URL | URL to your logo image |
| Background Color | Hex color code for background |
| Login Header | Custom text above login buttons |
| Redirect URIs | Allowed redirect URLs after login |
Security Headers
Configure HTTP security headers:
| Header | Purpose |
|---|---|
| CSP | Content Security Policy — controls resource loading |
| HSTS | HTTP Strict Transport Security — forces HTTPS |
| X-Frame-Options | Prevents clickjacking |
| X-Content-Type-Options | Prevents MIME sniffing |
| Referrer-Policy | Controls referrer information |
| Permissions-Policy | Controls browser features |
Click Set to Default to apply recommended security values.
File Explorer
Upload static files for your web app:
- Go to App Settings → Files
- Drag and drop files or click to select
- Files are immediately available at your web app URL
Supported files: HTML, CSS, JavaScript, images, PDFs, audio, video, and more.
Security Settings
Authentication Providers
Configure identity providers for user authentication:
- Go to Security → Auth Providers
- Click + New authentication provider
- Select a provider and configure credentials
| Provider | Configuration |
|---|---|
| Microsoft | Client ID, optional single-tenant with Organization |
| Client ID | |
| Apple | Client ID |
| App ID, Secret | |
| OpenID Connect | Client ID, Secret, Issuer URL |
| Passkey | No credentials required (WebAuthn) |
| Vipps | Client ID, Secret, Subscription Key, MSN |
| Vipps MT (Test) | Test environment for Vipps |
Options:
- Single tenant (Microsoft only) — Restrict to a specific Azure AD organization
- Login with popup — Use popup window instead of redirect
CORS
Control which domains can access your API:
- Go to Security → CORS
- Add allowed origins
- Configure allowed methods and headers
IP Whitelist
Restrict API access to specific IP addresses:
- Go to Security → IP Whitelist
- Add trusted IP addresses or ranges
reCAPTCHA
Protect against bots:
- Go to Security → reCAPTCHA
- Enable and configure your site key
- Choose v2 or v3
- Set score threshold (v3)
Cookie Authentication
Enable cookie-based authentication:
- Go to Security → Cookies
- Enable cookie authentication
- Configure CSRF protection
Best Practices
- Use Secrets for credentials — Never store sensitive data in Settings
- Descriptive key names — Use clear names like
STRIPE_API_KEY - Document settings — Keep track of what each setting does
- Rotate secrets regularly — Update credentials periodically
- Limit secret access — Only inject secrets into functions that need them
- Test security headers — Verify headers don't break your application