Hello Plasmic Team! Let me start by saying you have a wonderful product 
I have a question about a projects public API token. Is this considered a secret value? Due to some technical reasons, I’ve been using plasmic sync directly in a Github action. I see from the open source code for the CLI that you can provide the project ID as well as the API token like this plasmic sync --projects $PROJECT_ID:$PROJECT_TOKEN but this also seems to write the token inside the plasmic.json which I assume should be committed? Maybe I’m using something I’m not supposed to 
Is this the correct way to sync projects from CI? I saw the docs on plasmic auth as well but wasn’t sure how I could use it programmatically
I’ve also wondered about this and believe I’ve asked similiar questions before but forget the response. I would really love a blog post or something explaining the behavior and structure and how one should examine the risk associated with the practice
It certainly seems like it should be secret! I just saw this message https://plasmiccommunity.slack.com/archives/C0128PVPESU/p1701911310990059?thread_ts=1701690424.344349&cid=C0128PVPESU and was able to sync this random project no problem. The docs are a tad confusing here because they often put this token for the plasmic loader in plain text. Maybe I need to do some post processing on the plasmic.json to remove this field 
It actually isn’t documented in the schema so perhaps this is an oversight somehow
As a workaround, I’ll just be deleting the api token from the plasmic.json file prior to a commit that will happen in the workflow until I find a better way
i’ve just been keeping my projects private until I’ve been able to look into it more heavily
and I haven’t produced anything of significance that I plan on pushing to production any time soon until I’m able to thoroughly sus it out; from what I can tell so far is I don’t think the tokens are expected to be private or secret; but I do think by having the token and certain permissions it gives a good amount of control of a project
found the thread that I participated in related to this subject https://github.com/plasmicapp/plasmic/pull/88
Hi Kevin, the token you are referring to gives you a read only access, so it should be fine to commit it, as this is basically the same thing as being able to see the code present in your repository for codegen, for the loader the same can be argued, but it’s also fine to have it in a environment variable, if you fetch the content server side, but the fetched content also becomes available in your page as it’s the content for your page…
But this is not true for all the tokens in the product, as for example the auth one, that shouldn’t be exposed in any way.
It certainly seems like it should be secret! I just saw this message https://plasmiccommunity.slack.com/archives/C0128PVPESU/p1701911310990059?thread_ts=1701690424.344349&cid=C0128PVPESU and was able to sync this random project no problem.
+1 to what Felipe said; the token is safe to commit and expose to clients.
Also, note the reason you can ~sync~ view this project is because it’s an example project and its permissions are set to allow public access. You can configure your own projects’ permissions in the Share dialog (top-right).
Docs: https://docs.plasmic.app/learn/collaboration/
I appreciate and understand what ya’ll are saying; I think I would like to just personally see how Plasmic itself has thought through the potential weaknesses of going with this approach; specifically to address some of the concerns that might come up https://g.co/bard/share/645310856fc6
@jason so if I uncheck Share by link is enabled from the “Share” dialog, is the expectation that I shouldn’t be allowed to sync a project with the CLI even if I have the token? That’s the only option I see, and after removing my .plasmic.auth file and syncing again and including the token in the cli command I can still download all the source code
I think the expectation is that now that you have the “Share by link is enabled” that you or anyone you’ve invited into the project are able to access the project or sync to the project through the API
Right, I think that’s just not the behaviour I’m seeing. I have that box unchecked, but if I use the token in the sync CLI command I can still download the source code for the project
for example this is a project I just created and when I tried to access it from an account that I didn’t give access to it; I got this error
ya, I think that is because you’ve already gone through the step for the Plasmic Auth; you’d have to revoke the token from your settings I believe
Hmm but I also deleted my local .plasmic.auth file, and if I don’t include the API token I do get an error telling me to login (which is expected based on my understanding)
did you delete the personal access token from your settings too?
https://plasmiccommunity.slack.com/archives/C0128PVPESU/p1702414075979259?thread_ts=1702409480.338739&cid=C0128PVPESU
or at least this be an admin setting that could be set at the org or workspace level if not by default for all of plasmic
Do I need to delete my access tokens? I would assume that deleting my auth file would revoke access (which seems to be the case). Running npx plasmic sync -p $PROJECT_ID --yes fails saying I need to login with plasmic, but running npx plasmic sync -p $PROJECT_ID:$PROJECT_TOKEN --yes succeeds without requiring me to login (this is with sharing disabled).