API Keys Secrets and Secure Configuration in Google Apps Script

by

📘 Lesson 4 — API Keys, Secrets & Secure Configuration in Google Apps Script

Blog Post #4 in the Apps Script + APIs + Gemini Series

If you’ve ever seen code like this:

const API_KEY = "my-secret-key";

…you’ve already seen a problem.

In this lesson, you’ll learn how to properly store and manage secrets (API keys, tokens, configuration values) in Google Apps Script—the right way.

This is mandatory knowledge before working with:

  • Gemini
  • Paid APIs
  • Production web apps
  • Shared Apps Script projects
  • GitHub repositories

🎯 What You’ll Learn

By the end of this lesson, you’ll know how to:

✅ Store API keys securely
✅ Use PropertiesService correctly
✅ Avoid leaking secrets in code or GitHub
✅ Validate configuration at runtime
✅ Build scripts that fail safely
✅ Prepare your project for Gemini AI

🧠 Why This Matters (Especially for Gemini)

  • Gemini requires an API key
  • API keys are billable
  • Exposed keys can be abused
  • Hard-coded keys get leaked constantly

Apps Script gives you a built-in secure storage system—you just need to use it.

📍 Step 1 — What NOT to Do

Do not do this:

const GEMINI_API_KEY = "AIzaSy...";

Why this is bad:

  • Anyone with editor access can see it
  • It can be accidentally committed to GitHub
  • You can’t rotate keys easily
  • It encourages unsafe habits

📍 Step 2 — Use Script Properties (Correct Way)

Apps Script provides Script Properties, which act like environment variables.

🔐 Add a Script Property

  1. Open Apps Script
  2. Click Project Settings
  3. Scroll to Script properties
  4. Add:
Property NameValue
GEMINI_API_KEYyour-real-api-key

Save.

📍 Step 3 — Read Secrets in Code

Here’s the correct pattern you’ll reuse everywhere.

/**
 * Retrieve an API key safely from Script Properties.
 */
function getApiKey(propertyName) {
  var props = PropertiesService.getScriptProperties();
  var key = props.getProperty(propertyName);

  if (!key) {
    throw new Error('Missing API key: ' + propertyName);
  }

  return key;
}

Usage:

var apiKey = getApiKey('GEMINI_API_KEY');

📍 Step 4 — Secure API Call Example

Here’s a complete, production-safe API call pattern.

function callProtectedApi() {
  var apiKey = getApiKey('MY_API_KEY');

  var url = 'https://example.com/api/data';
  var options = {
    method: 'get',
    headers: {
      'Authorization': 'Bearer ' + apiKey
    },
    muteHttpExceptions: true
  };

  var response = UrlFetchApp.fetch(url, options);
  var status = response.getResponseCode();

  if (status !== 200) {
    Logger.log(response.getContentText());
    throw new Error('API request failed: ' + status);
  }

  return JSON.parse(response.getContentText());
}

🔍 Key Security Concepts Explained

Why Script Properties Are Safe

  • Not visible in client-side HTML
  • Not logged accidentally
  • Not included when sharing code snippets
  • Different per project (dev vs prod)

What NOT to Log

❌ Never log keys:

Logger.log(apiKey);

✅ Log presence instead:

Logger.log('API key loaded: ' + Boolean(apiKey));

📍 Step 5 — Using Secrets in Web Apps

When building web apps:

✅ API calls happen server-side only
❌ API keys NEVER appear in HTML

// SAFE: server-side
function getDataForUI() {
  var key = getApiKey('MY_API_KEY');
  // API call here
}

<!-- NEVER do this -->
<script>
  const apiKey = "AIzaSy...";
</script>

🧪 Exercises (Important)

Exercise 1 — Migrate a Hard-Coded Key

  • Find any API key in your code
  • Move it into Script Properties
  • Replace with getApiKey()

Exercise 2 — Add Config Validation

Create a startup validation function:

function validateConfig() {
  getApiKey('GEMINI_API_KEY');
  Logger.log('All required keys are present');
}

Run this before deploying.

Exercise 3 — Prepare for GitHub

Create a comment-only config template:

// Required Script Properties:
// GEMINI_API_KEY
// WEATHER_API_KEY
// OPENAI_API_KEY

This helps collaborators without exposing secrets.

💡 Pro Tips for Secure Apps Script Projects

Tip 1 — One Function to Rule Them All

Always access keys through one helper function.

Tip 2 — Rotate Keys Easily

Script Properties let you change keys without editing code.

Tip 3 — Treat API Keys Like Passwords

If you think it leaked:

  • Revoke it
  • Rotate immediately
  • Update Script Properties

🔮 What’s Next?

In Lesson 5, we finally bring AI into the picture:

Lesson 5 — Calling Gemini from Google Apps Script (Text Prompts + Responses)

You’ll learn:

  • Gemini REST API basics
  • generateContent requests
  • Parsing AI responses
  • Error handling
  • Reusable Gemini helper functions

This is where Apps Script becomes AI-powered.