Securing Secrets in Apps Script

Stop hardcoding API keys. Move from vulnerability to enterprise-grade security with the right setup logic.

Choosing the Right Storage

Not all secrets are created equal. Compare the four primary methods to find the balance between security and convenience.

Select a method to analyze:

User Properties

Recommended

Stores secrets privately for the current user. Others cannot see them.

Script Properties

Team Shared

One key shared by all editors. Good for team tools, risky for personal data.

GCP Secret Manager

Enterprise

External cloud storage with audit logs, rotation, and IAM controls.

Protected Sheet

Basic/Risky

Hidden tab in the spreadsheet. Easiest to access, hardest to secure.

Capability Profile

User Properties

High security for individual users. The data is isolated to the specific account executing the script.

Need a Recommendation?

Select your specific use case to get an instant suggestion.

Interactive Setup Flow

Instead of hardcoding, use a dedicated setup function triggered via a custom menu to securely store user credentials.

Code Editor javascript
function setupApiKey() {
const ui = SpreadsheetApp.getUi();
const response = ui.prompt(
'Setup Required',
'Please enter your Google AI Studio API Key:',
ui.ButtonSet.OK_CANCEL
);
if (response.getSelectedButton() == ui.Button.OK) {
const input = response.getResponseText().trim();
if (input) {
PropertiesService.getUserProperties().setProperty('GOOGLE_AI_STUDIO_API_KEY', input);
ui.alert('✅ API Key saved successfully!');
} else {
ui.alert('❌ No API key entered.');
}
}
}
💡

Hover over the code

Move your mouse over the code lines on the left to understand how the secure setup logic works step-by-step.

Security Audit Simulator

Are you following best practices? Check the boxes below to see your security score.

I checked my code and removed all `const API_KEY = "xyz"` strings.

I am NOT using `Logger.log()` to print secrets or tokens.

I default to UserProperties unless sharing is strictly required.

I have a plan to rotate (change) these keys periodically.

My tokens only have the permissions they absolutely need.

0%

Secure

Your app is vulnerable!