Just someone asked something and I may have a flow that does what they want.
But one node's has a key in it.
Hey Andrew,
We might need more info.
Lets assume when you say "POST" you mean a HTTP submit that includes a "body" of data.
There is not specific property called key
The body of data is what ever is posted.
- Binary data (an image, a file, some other file content)
- a string (that may be a string representing an object) encoded as JSON
- Some other exotic type
I have open-weather and it needs a key to work.
Someone was asking about a weather api (what ever that is)
I have a flow that gives you the weather in a nice graphical way.
But I want to check what happens with my key if/when I post the exported flow here.
Sorry for the confusion.
Only 1:20 out of bed. Still getting things up to speed.
Ok...
I think I get it.
The key you're referring to is your "license" if you will, to use that API - Most services offering access to data requires to know who is using that API (and to detect if that user is absuing the services provided)
If exporting a flow that uses a key that is assigned to "You" - its best to redact that key.
So the user "reusing" that flow - needs to get there own key.
before pasting the flow, do a search and replace to remove your key
replace("xxxxxxx","Get-Your-Own-Key")
I hope this helps
If the api-key is in a config section of a node (e.g openweathermap node) then it will not be shared. If the api-key is in a http, change ,function, template, etc node then you will need to redact it manually,
[edit for future reference] if you store the api-key in context storage, then it will not be shared when exporting also.
[edit for further info] You can also store the api-key as an environment var in the flow or group, set as credential, this to will not be exported
2 Likes
I usually put my keys in a global or flow context variable and use a change or inject node to include it. That way the value can never accidentally be included.
2 Likes
When you access an API via a special purpose node eg node-red-contrib-openweathermap (No idea if that particular node exists), the API key should be stored in flows_cred.js and when you export the flow it does not include the key value.
For APIs that I access with an http node rather than a special purpose node:
The first tab in my Node-red editor is "Set globals".
It has change nodes which store API keys/ids as global context.
Since it's the first tab, the flows there should be executed first when Node-red starts up, thus global.openweathermapid etc are certain to be available when I need them.
I could export and post my entire weather flow here and the only thing that would be revealed is the name of the global context variable, not it's value.
Currently though I am contemplating using environment variables instead.
They can be set external to Node-red in settings.js or an environment setup file.
I could post my entire flows.json without revealing the API keys.
@TotallyInformation and @jbudd
I will have to be shown how to do that.
Ok, @jbudd does explain it a bit more, but I am not confident to do it yet.
Is that correct?
I believe so, I remember reading that the order of the flow json dictates the execution order for nodejs.
1 Like
I confess I have no evidence for it beyond having read it a couple of times in the forum.
Edit: Brave's AI says this:
1 Like
Yes, it should be. The left-most tab is supposed to be executed first. That certainly should be the case. I generally reserve that tab for things I want running on startup. Less important now that we can have retained context variables but much of my home automation setup still uses it.
1 Like
There is a subtlety as with the global config node, a global flow containing all global nodes is created and executed in the runtime and then other flows are executed.
@GogoVega - So.... regardless of whether it's the first tab, or the 20th tab, global will always take precedence?
Yes, the global flow will always be the first one launched.
1 Like
Well, ok, thanks I know I've marked this as SOLVED but I am none the wiser on how to do it.
Say the node is exampleNode.
I have to enter my key to be able to use it.
It is in that node's .... properties (?)
How do I set that in the global config file?
Is your question whether the API key is likely to be exported?
If so, all information contained in the node definition is exported except for the credentials object.
If you are not developing a node, the recommended way for credentials is to go through env (because not exported).
I'll be honest.
I am not really sure what I mean.
It is just I recently exported/shared a flow which included a node which needed a key to use it.
Luckily I realised this and fixed an oops moment when I posted it.
It was stated I can save the key ...... somewhere. Global config I think was named.
Then other things were also included. Maybe helping me, maybe confusing me more.
So I am wanting to get my head around one of the ideas. Not sure which one, but I think it would/could/might be better than the way I do it now.
Then if ever I share stuff again, I don't have to worry about sharing a key I have.
I am not seeing/understanding a link between the node and the global config file.
OK, now I'm totally confused!
What is the global flow and where is it documented?
AFAIK, this is the first I've ever heard of it. After over a decade of Node-RED use 
(No blame assigned)
This is kind of the start of my confusion.
(post 5)
[quote="TotallyInformation, post:6, topic:89968, full:true"]
I usually put my keys in a global or flow context variable and use a change or inject node to include it. That way the value can never accidentally be included.
[/quote]
But - to me - I have seen other options also suggested which is/are just as confusing.
Sorry.
