Where to store my credentials for 3rd party REST API?


Hello Community,

I am using meteor to build an app, which needs to call a 3rd party REST API. I have to authenticate to that API vial my credentials (username:password).

I only need to access the API from the Server, so I wrote a function which is in my /server directory.
Currently I have defined my credentials in a variable AUTH = “username:password” (in the same file containing the function) which is used in the HTTP request.

My question is, whether it is OK that I store my credentials in that file, which should not be accessable from the client (= user), or whether there is a better way to store my credentials I need for a 3rd party API call?

Thank you and best regards.


Either add the credentials to a settings.json file and access them via Meteor.settings.myAuthToken and launch Meteor using meteor --settings settings.json.

Or launch Meteor via: MYAUTHTOKEN=xyz meteor and then access the token via process.env.MYAUTHTOKEN.

See ENV variabels or settings


Hello idmontie

thanks for your answer and pointing to other topic.


More reading if you want a step-by-step tutorial: http://sergiotapia.me/2015/07/22/meteor-environment-variables-2/


@sergiotapia: the link is now dead. In the meantime, MDG has published a security guide, of which the relevant part is this: