Trust the author - the meaning

Can somebody elaborate on the meaning of the quotes below.

If the code is actually run on the device well it doesn’t get send to place where the code is hosted - isn’t that correct?

Of course you should be aware of what is in the code so the code doesn’t copy your data to a malicious site - but if you are in control of the code then this shouldn’t be a problem, I expect.

Make Sure You Trust The Author If you’re using code written or hosted by someone else – make sure you trust the author. Experimental Code columns can access any data you pass to them so it’s important you are confident with where it’s going.

(in reality, the code runs on your device, but it’s useful to think of it this way :point_up_2:t3:)

So can you pass a secret key to e.g. Cloudinary exposed API in order to get hold on some data from your account there - without passing the secret key to the place where the code is hosted?

Or will the secret key be accessible on the device that runs the app - e.g. by inspecting the code?

The author of the Experimental Code column could, if they wanted to, add some code to send all information you send to it to some server they control, and do whatever they want with it, no matter where the code runs.

Suppose I make an Experimental Code column called “Validate Credit Card Number” and I share it here. While validating, that code column could make purchases with the credit card. It does not matter that the code is running on the device.

The best thing to do is copy and code columns that you want to use, so they are under your exclusive control. Then you can see for yourself exactly what the code does, and nobody can change it but you.

If this feature is popular, we will create some process to help you figure out which code columns are trusted by Glide, and which are not.


@david thanks. Think I understand. You just got to be in control of the code. Yes.

But when you run the code it is running on the users device - and do not send any data to the origin of the code, right?

That’s right, Glide does not send data to where the code column is hosted. It theory, this should even allow code columns to work offline (I haven’t tested that). But, the code could then do whatever it wants.

1 Like

@david is there any way where we can use external api which uses api keys/passwords- and not disclose the keys/passwords to the users (who might be inspecting the code). The api info is to be used by everybody of the app.

No, there is no safe way to do this yet.

What about if we use the Hell Yes-Code?

In my tests, I prefer to create my code using the Mark’s Yes-Code while it’s posible (it’s multi-use and reusable) instead of creating new code for each purpose/need.

If the API key is sent as parameter (part of code sent as string), isn’t it safer than write and show API Key in Function.js?

Gracias @david


Hola @Krivo

Are you able to test and inspect the code to find API key using my idea written above?

The trick is use the Hell Yes-Code otherwise, we have a big security problem.


@gvalero i’m not a great hacker :wink:
Anyhow, you didn’t supply a link to an app so I cannot try it out. What are you connecting to - to google maps?

@gvalero If you pass the API key into the Code column through a parameter, then only people who can access the app can potentially see the API key.

If the column code is loaded before going offline, the Code column will work offline as long as it doesn’t require the network.

@mark so if the user opens the app at a computer then he will be able to inspect the code and find the api key?


@mark ok. So no secure way to pass on a api key by use of experimental column. It would be so fantastic to be able to connect to an external api where you need to provide api key/secret. It would open up a lot of new possibilities. Hope you are considering how to do that.

1 Like

There is no secure way to do that when the code runs on the user’s device.

@mark but Glide can (in the future) create an api column that is secure? Isn’t that correct?

Or we can at the moment use a webhook to e.g. integromat which does the retrieval of data from the 3rd party api - and then integromat could send the data back to glide (through google sheets at the moment). If Glide could retrieve data directly in Glide tables then we would have a fast and secure solution as well.

1 Like

I think the problem is solved!.. until some of Glide’s top experts will hack my SAMPLE … LOL
PM me the API key if you can find it… and I will start working on a new solution.