hi @yang We have been wrestling with the issue of the authorization token being shown in the build code for over a week now. We are now demoing the GraphCMS component, and on a production build the token is shown and available in the front end code. We also saw this behavior with the Contentful integration. Are we missing something? Why are these being exposed on a statically built page?
Hi @scientific_porpoise, apologies - I misread that a little bit too quickly! This is actually the intended behavior. The auth tokens should only be for read only data.
(They are ultimately exposed as part of the statically built client side code because the data fetching is designed to be isomorphic, meaning that you have the option to dynamically trigger refetches of different data from the client.)
Ok so is this just something we have to accept with Plasmic? Is this normal to expose auth tokens like this? Even read only ones? Sorry, we have never worked with React before 
Yes, especially if you ever need any client side dynamism. If you want to limit the type of read operations that can be done prevent sharing the public auth token, you can do so by proxying to your own API endpoints that in turn perform the upstream reads, or you can perform data fetching yourself in getstaticprops (which side steps the component-based data fetching altogether).
Yes, we are starting to use getstaticprops in order to overcome this, but we can’t find any examples of how to use getstaticprops for the build site and also see the data in Studio.
Basically we want to see the dynamic data in the Studio, and the statically generated data on the production site
Hi @scientific_porpoise, thank you for reaching out!
Here are some examples of how to load dynamic data using the getStaticProps() function and display it in plasmic:
https://docs.plasmic.app/learn/data-code-components/#static-or-server-rendered-data-fetching
Here are also other examples for implementing data driven pages (e.g. a dynamic blog post page):
https://docs.plasmic.app/learn/dynamic-pages/
Also, for anyone else wondering about exposing API keys in the frontend, we found this:
It is important to differentiate between the GraphQL Admin API and the GraphQL Storefront API. Given that the Storefront API is intended for customer-facing experiences, it is a public API which is designed to be used client-side. This means the access token used for authentication is not secret and can be used in places where it will be exposed.
The Admin API key and password, however, should never be used client side.