Python-powered chat apps with Twilio and SendGrid Transcripts
Chapter: Beautiful confirmation emails
Lecture: Storing secrets, secretly

Login or purchase this course to watch this video and the rest of the course contents.
0:00 So we want to get started using sendgrid so we can easily do that. We can say client=sendgrid.sendgridAPIClient(api_key) and let's see what it takes.
0:12 Oh, it takes the api_key, All right, No problem with api_key. And let's just put that up here. It's going to be a string, and it is equal to abu32.
0:23 Wait a minute. Have you heard that you shouldn't put API keys and other secret
0:29 passwords and connection strings and things like that right in your source code? But if you ever wondered why,
0:35 I mean, who is this is going to be a private repository? Who's going to find it? What's going to happen?
0:40 Well, it turns out that there are all sorts of services that watch things like Git Hub. And if ever there's a glimpse into your repository,
0:48 somehow it became public. Somebody cloned it or accidentally made it public for a moment and put it away. Chances are,
0:54 it's too late. Check this site out. There's a place or service called shhgit, as in, Don't talk about the secrets you can see down here.
1:02 Just secrets being found right away. They used to have this in real time. I'm not sure if this is actually real time,
1:09 but there was a way to actually see the repositories there a little bit redacted here
1:13 because there was some abuse. This is what it looks like if you subscribe to
1:17 the public, github feed and you look for the various configuration files and tokens and other things that should not be in your code.
1:24 So you really, really don't want these to be bound. So what are we going to do? Well, we're not going to do this.
1:30 Instead, we're going to say that this is none. And this is optional,to start out as none, but then be something. I'm going to set this up.
1:38 We're also going to do API. I call it key_name as well. We're not technically going to use the key_name, but in the sendgrid dashboard,
1:49 we get a specify key_name, and having those next to each other is probably worthwhile for us. So how are we going to store our API keys?
1:56 Well, there's all sorts of options. Some people put them directly in environment variables, in which case they're not as part of your code.
2:03 But you log in to the server and say, Give me the sendgrid api key out of the environment. It's easy to do in
2:09 Python. There's other services like cloudy env that actually encrypt and store those.
2:15 You could put an encryption key somewhere on your system and encrypt the keys. But what we're gonna do a relatively low effort,
2:21 type of thing. What we're gonna do is we're gonna create a Json file. I'll call it something like secrets template.json.
2:30 Why template? Because what we're gonna do is work with a file called Secrets.json But we're not going to put it into our source code.
2:37 We're going to use this template file as, like a hint. So put a little bit of in here and we'll say TODO
2:41 copy this file to secrets.json and set the real values going to make sure that secret.json is excluded and get ignored so we never check it in.
2:54 But we're going to have sections on say, like, it's sendgrid and over in sendgrid will have secret_key. Don't put the real data here.
3:06 This is going in to GitHub and like that, we're also gonna need some stuff to talk to Twilio for WhatsApp.
3:13 So we're gonna have other sections throughout this course that we add here. But for now, it's going to be this simple version.
3:20 So what I want to do is copy this over to secrets.json and ignore it. But the problem is, if I copy and pycharm often,
3:27 what will happen is pycharm says, Oh, new document, new file. Let's automatically add that to GitHub, to be friendly, generally helpful.
3:34 Not this time. So I'm going to do it outside a pycharm and then ignore it and then come back.
3:39 And here you can see that secrets.json now exists and that it's this golden color which in pitch our means that it's going to be ignored.
3:47 I just copied it over and then added it to the git ignored. So what I'm gonna do is go over here and put my API keys into this
3:54 file. I'm not going to show you that because there are mine and private.
3:58 You do that for yours and make sure you don't commit it or share it with anyone.

Talk Python's Mastodon Michael Kennedy's Mastodon