Secure your Script: Protecting your API Credentials with Keychain
In the first post, we made our first successful API call to Canvas. To keep things simple and readable, we defined our Canvas URL and API token directly in the script. That choice was intentional.
When you’re learning something new, clarity matters more than perfection. Seeing values defined plainly in the code makes it easier to understand what’s happening and why. But it’s not how we should work long-term.
Before we go any further, lets secure this important information!
Why this matters?
Your API token is effectively your Canvas password. It gives you the same access that you have if you went to Canvas in your browser. Viewing student data, creating content, or making changes in your account.
For our first script it was the simplest path forward to hardcode the token. As you expand your use of the Canvas API this is not only poor practice it can lead to a data breach depending on your access in Canvas.
We want our automations to be safe, repeatable, and scalable, sensitive values need to live outside the script itself.
On your iPad, the right place for that is the Keychain.
A quick note on your base URL
Before we store anything, let’s talk briefly about the baseUrl.
In my scripts, I intentionally include /api/v1 directly in the base URL:
const baseUrl = "https://yourdomain.instructure.com/api/v1"
I do this for two reasons:
- Nearly every Canvas API request uses this same versioned base path
- It keeps endpoint construction consistent and readable
With /api/v1 already in place, the endpoint paths we build later map directly to what you see in Canvas.
"/users/self/profile"
"/courses"
"/assignments"
This keeps the mental mode simple:
- Base URL -> where the API lives
- Endpoint -> the specific resource you're requesting
Once defined, the base URL rarely changes, which makes it an ideal candidate for your Keychain.
Translating this to your Scriptable App
Scriptable gives us access to the iOS Keychain, which is designed specifically for storing sensitive values like tokens, passwords, and credentials.
The first step is to store our existing values.
// Store each value using a name (key) and the value we want to protect
Keychain.set("BASE_URL", baseUrl);
Keychain.set("API_TOKEN", apiToken);
You only need to do this once. After the values are stored, they persist securely across scripts and sessions.
A small but important naming shift
You’ll notice a deliberate change in naming here.
When values are stored outside the script, I switch to uppercase variable names when retrieving them:
// Retrieve the stored values by the same names
const BASE_URL = Keychain.get("BASE_URL");
const API_TOKEN = Keychain.get("API_TOKEN");
Uppercase names make it immediately clear that:
- These values are not being defined here
- They’re coming from a secure external store
- They should be treated as configuration, not logic
As scripts grow, that distinction becomes increasingly valuable.
Updating the Load Step
With our credentials secured, the Load step of the TAP Method becomes cleaner and safer.
Instead of defining sensitive values inline, we now load them intentionally:
const BASE_URL = Keychain.get("BASE_URL");
const API_TOKEN = Keychain.get("API_TOKEN");
From here on out, every script can assume your credentials are secure.
Why we do this now?
This step might feel a little early. After all, we’ve only made one API call so far. That’s exactly why it belongs here.
Good automation habits are easiest to form at the beginning. By securing credentials early, you avoid having to refactor later, and you build scripts that are safe to reuse, share, and grow.
With our script secured, we’re ready to move forward.
What's next
In the next post, we’ll start putting this foundation to work — using the TAP Method to retrieve real Canvas course data.