Using restricted keys
silveltman opened this issue · 2 comments
Would it be possible to use a key with specific permissions enabled?
I'm trying to set up payload multi-tenancy with e-commerce. Problem is setting a new key for each tenant.
An idea I'm exploring is storing the stripe api let in a field in the tenant doc in payload. Trying to add some security by restricting the key.
If this is completely inappropriate anyway, kindly let me know 😄
Hey @silveltman I think you're on the right track here. Security around your API keys is a big deal so you'd need to get it right. If your tenants don't change often, you could always just store them statically in your env as you go. But at a certain scale, this isn't quite sustainable. For this you could save them to your tenant as you suggested, then leverage Payload to fully restrict access and encrypt their values.
This plugin is now being maintained in the Packages Directory of the Payload Monorepo. This repo will soon be archived and all open issues including this one will be closed. This issue has already been added to this open discussion, though, so that it will not get lost. Please refer to that discussion for more details and to continue the conversation.