API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#API Connect
#Applicationintegration
#APIConnect
 View Only

Securing Sensitive Credentials with the --secrets Flag in IBM API Connect for GraphQL (StepZen)

By Sahul Prakash posted 2 days ago

  

In the world of modern GraphQL development with IBM API Connect for GraphQL (StepZen), integrating with backend services such as REST, GraphQL, or database endpoints is a common task. These integrations often require sensitive credentials like API keys, authorization tokens, or custom headers.

IBM API Connect for GraphQL enables developers to build unified GraphQL APIs quickly by importing existing data sources. However, when using the powerful stepzen import command, it’s easy to accidentally expose secrets in your GraphQL schema files.

That’s where the --secrets flag comes in. It ensures sensitive credentials are never written into generated schema files and are instead managed securely in your configuration.

 

Why You Must Use --secrets

Without --secrets, any header you pass to an import command—even a temporary test value—gets hardcoded into your .graphql file.

🚫 Example of What to Avoid 

# Exposed in your schema file!
type Query {
  myQuery: Root
    @rest(
      endpoint: "https://myapi.com/v1"
      headers: [{ name: "Authorization", value: "Bearer 12345-THIS-SECRET-IS-EXPOSED" }]
    )
}

 The --secrets flag completely eliminates this issue by replacing sensitive data with variable references during the introspection process.

What Happens When You Use --secrets

Action with --secrets Security Benefit
Replaces Value in SDL Prevents credentials from being committed to source control.
Stores Value in config.yaml Centralizes secrets in a non-schema file, making management easier.
Uses a Generated Variable The GraphQL schema only sees a reference, not the raw secret.



How to Use the --secrets Flag

You simply pass the name of the header (or URL parameter) whose value you want to hide to the --secrets flag.

1. Importing a REST API with a Secret Header

stepzen import curl https://my-backend.com/api/v1/user \
  --header 'Authorization: Apikey 12345-THIS-IS-A-SECRET' \
  --secrets 'Authorization'

2. Importing a GraphQL API with a Secret Header

The process is identical when importing a GraphQL endpoint:

stepzen import graphql https://your-graphql-endpoint/graphql \
  --header 'X-API-KEY: MySuperSecretKey' \
  --secrets 'X-API-KEY'

What Happens Behind the Scenes (Generated Output)

This is where the magic happens. When you use --secrets, StepZen automatically updates two files:

  • Your GraphQL schema (.graphql) file

  • Your configuration (config.yaml) file

The Generated config.yaml

The actual secret value is securely placed in your config.yaml file under a unique, automatically generated variable name:

configurationset:
  - configuration:
      # StepZen inserts the raw value here:
      authorization_416efbc0dc: Apikey 12345-THIS-IS-A-SECRET 
      name: curl_import_config

The Corresponding Secure SDL

The generated .graphql schema file now references this variable instead of the raw secret:

type Query {
  myQuery: Root
    @rest(
      endpoint: "https://my-backend.com/api/v1/user"
      # The value is now a secure variable reference!
      headers: [{ name: "Authorization", value: "$authorization_416efbc0dc" }]
      configuration: "curl_import_config"
    )
}

Notice the raw API key is nowhere in the schema!

Multiple Secrets Example

You can also secure multiple headers or parameters at once.

stepzen import graphql https://example.com/graphql \
  --header 'Authorization: Apikey 1234' \
  --header 'token: my-token-value' \
  --secrets 'Authorization' \
  --secrets 'token'

Key Takeaways

  • Always use --secrets when importing data sources that require API keys or tokens.

  • Manage credentials securely via config.yaml instead of schema files.

  • Helps ensure your GraphQL APIs comply with enterprise security standards.


    #APIConnect
    #GraphQL
    #Stepzen

0 comments
6 views

Permalink

https://community.ibm.com/community/user/blogs/sahul-prakash/2025/10/06/secure-your-api-keys-and-tokens-in-ibm-api-connect