Passing Secrets to Webtask Code

Webtask token can provide secret parameters to webtask code

For customized documentation and ready to run samples, please log in.

You can create a webtask token that includes public or secret parameters. These parameters are made available to the webtask code when it runs. This mechanism provides a convenient way to equip your webtask code with secret credentials necessary to communicate with external systems while preventing disclosure of these credentials to third parties, including the owner of the webtask token.

For example, you could write a webtask code that sends an SMS message using Twilio. The secret keys to call Twilio APIs can then be stored encrypted in the webtask token, only to be decrypted and provided to your webtask code when it runs. Such webtask token can be safely embedded and shipped as part of a mobile application without the risk of disclosing your Twilio keys.

NOTE it only makes sense to embed secret parameters in a webtask token that also restricts the webtask code. Otherwise custom code specified by the owner of the token could gain access to the secrets.

You can create a webtask token restricted to only execute webtask code at a paricular URL and provide this code with a secret parameter by specifying the url and ectx restrictions as part of the webtask token request.

You can use curl to make such webtask token request:

export PARAMETERIZED_TOKEN=$(curl -s https://webtask.it.auth0.com/api/tokens/issue -H "Authorization: Bearer {webtask_token}" -H "Content-Type: application/json" --data-binary '{"url":"http://bit.ly/1wT1DOi","ectx":{"secret":"abc!123"}}')       

The issued token will contain encrypted version of the secret paramater specified as part of the ectx restriction. The secret is encrypted with a key only the webtask cluster possesses. This means even the owner of the issued webtask token will not able to access the embedded secrets.

An application or user who have access to the token can use it to run webtask code that will be provided with the embedded secret. This is how you can use curl to run the code and see the secret is indeed made available to the webtask code:

curl https://webtask.it.auth0.com/api/run/{webtask_container}?name=Tomek -H "Authorization: Bearer $PARAMETERIZED_TOKEN" -X POST        

NOTE the webtask request that uses tokens with encrypted paramaters can still use URL query parameters to pass additional data to the webtask code. However, the parameters stored in the webtask token take precedence over the ones specified through URL query parameters in case they have the same name.