Question about using project public API token

Hello Plasmic Team! Let me start by saying you have a wonderful product :smile: I have a question about a projects public API token. Is this considered a secret value? Due to some technical reasons, I’ve been using plasmic sync directly in a Github action. I see from the open source code for the CLI that you can provide the project ID as well as the API token like this plasmic sync --projects $PROJECT_ID:$PROJECT_TOKEN but this also seems to write the token inside the plasmic.json which I assume should be committed? Maybe I’m using something I’m not supposed to :sweat_smile: Is this the correct way to sync projects from CI? I saw the docs on plasmic auth as well but wasn’t sure how I could use it programmatically

I’ve also wondered about this and believe I’ve asked similiar questions before but forget the response. I would really love a blog post or something explaining the behavior and structure and how one should examine the risk associated with the practice

It certainly seems like it should be secret! I just saw this message and was able to sync this random project no problem. The docs are a tad confusing here because they often put this token for the plasmic loader in plain text. Maybe I need to do some post processing on the plasmic.json to remove this field :thinking_face: It actually isn’t documented in the schema so perhaps this is an oversight somehow

As a workaround, I’ll just be deleting the api token from the plasmic.json file prior to a commit that will happen in the workflow until I find a better way

i’ve just been keeping my projects private until I’ve been able to look into it more heavily

and I haven’t produced anything of significance that I plan on pushing to production any time soon until I’m able to thoroughly sus it out; from what I can tell so far is I don’t think the tokens are expected to be private or secret; but I do think by having the token and certain permissions it gives a good amount of control of a project

found the thread that I participated in related to this subject

Hi Kevin, the token you are referring to gives you a read only access, so it should be fine to commit it, as this is basically the same thing as being able to see the code present in your repository for codegen, for the loader the same can be argued, but it’s also fine to have it in a environment variable, if you fetch the content server side, but the fetched content also becomes available in your page as it’s the content for your page…

But this is not true for all the tokens in the product, as for example the auth one, that shouldn’t be exposed in any way.

It certainly seems like it should be secret! I just saw this message and was able to sync this random project no problem.
+1 to what Felipe said; the token is safe to commit and expose to clients.

Also, note the reason you can ~sync~ view this project is because it’s an example project and its permissions are set to allow public access. You can configure your own projects’ permissions in the Share dialog (top-right).

I appreciate and understand what ya’ll are saying; I think I would like to just personally see how Plasmic itself has thought through the potential weaknesses of going with this approach; specifically to address some of the concerns that might come up

@jason so if I uncheck Share by link is enabled from the “Share” dialog, is the expectation that I shouldn’t be allowed to sync a project with the CLI even if I have the token? That’s the only option I see, and after removing my .plasmic.auth file and syncing again and including the token in the cli command I can still download all the source code

I think the expectation is that now that you have the “Share by link is enabled” that you or anyone you’ve invited into the project are able to access the project or sync to the project through the API

Right, I think that’s just not the behaviour I’m seeing. I have that box unchecked, but if I use the token in the sync CLI command I can still download the source code for the project

for example this is a project I just created and when I tried to access it from an account that I didn’t give access to it; I got this error

ya, I think that is because you’ve already gone through the step for the Plasmic Auth; you’d have to revoke the token from your settings I believe

Hmm but I also deleted my local .plasmic.auth file, and if I don’t include the API token I do get an error telling me to login (which is expected based on my understanding)

@fmota @jason I would appreciate if the Sharing was off by default TBH

did you delete the personal access token from your settings too?

or at least this be an admin setting that could be set at the org or workspace level if not by default for all of plasmic

Do I need to delete my access tokens? I would assume that deleting my auth file would revoke access (which seems to be the case). Running npx plasmic sync -p $PROJECT_ID --yes fails saying I need to login with plasmic, but running npx plasmic sync -p $PROJECT_ID:$PROJECT_TOKEN --yes succeeds without requiring me to login (this is with sharing disabled).