Learn about making some actor input fields secret and encrypted. Ideal for passing passwords, API tokens or login cookies to actors.
The secret input feature allows you to mark some actor input fields as secret, causing them to be encrypted when saving an input for an actor. The input can then be decrypted only inside the actor.
Setting an input field as secret
To make an input field secret, just add a
"isSecret": true setting to the input field in the actor's input schema, like this:
"description": "A secret, encrypted input field",
The editor for this input field will then turn into a secret input, and when you edit the field value, it will be stored encrypted.
This is only available for
string inputs, and the editor type is limited to
Reading secret input fields
When you read the actor input through
Actor.getInput(), the encrypted fields are automatically decrypted, without any additional code needed (starting with the
apify package version 3.1.0).
> await Actor.getInput();
If you read the
INPUT key from the actor run's default key-value store directly, you will still get the original, encrypted input value.
> await Actor.getValue('INPUT');
The encryption mechanism used for encrypting the secret input fields is the same dual encryption as in PGP.
The secret input field is encrypted using a random key, using the
aes-256-gcm cipher, and then the key is encrypted using a 2048-bit RSA key.
The RSA key is unique for every user and actor combination, so no actor can decrypt input meant for other actor run of the same user, and no user can decrypt input of actor runs of a different user, but same actor.
The decryption keys are passed to the actor runs as environment variables, so the input decryption happens only inside of the actor run.
If you want to test the secret input live, check out the Example Secret Input actor in Apify Console. If you want to dig in deeper, you can check out its source code on GitHub.