Can people see my API keys on a web app using F12 (Web Inspect) or other tools?

Please clarify. Are you sending API keys to the client from the web app? If you’re talking about keys being sent from the client TO the web app, I’m not sure what your fear is when they would already have/know the key being sent (since they’re the one sending it).

I made a web app that searches devices assigned to a user.

When someone types a name on the search field, it sends a request to our database using an API key that is included on the script that runs in the backend.

My fear is that people can access the script running in the backend of the webapp and look/grab my API keys.

Not sure if that makes sense.

Is the API key stored inside of a Secret variable that’s just being referenced from inside of your script that gets triggered when a user submits the query on that web app?

It is being referenced from the inside of the script and it is triggered when a user submits the query.

I am new to this stuff so I have no idea how to store the API key inside of a secret variable. I am using the free version of PSU.

I see. So, if you go to Platform, then Variables, you can create a new variable that is Secret (rather than Simple). Secret variables are only accessible by PSU itself and are encrypted. Your script could simply be modified to reference the variable for those lines. This would then allow you to avoid having sensitive information stored within the script directly (as well as being able to reuse the variable in other scripts if needed).

For example, it would change to something like $headers2.Add("X-Cisco-Meraki-API-Key", $($Secret:apikeyvariable))

It worked!!! You are the best. This makes me feel much more comfortable when I share this with other techs.

Great. Glad it solved your concern.