How to use a current users credentials in a plugin for read / write

I am developing a custom plugin that needs to read and write to builder.io. Currently I am configuring settings in the plugin to provide access to the respective API keys but I believe this causes a security risk as anyone who has access to the plugin could do whatever the keys allow. Is there a better way to access / leverage the current users permissions in order to read / write to builder.io rather than:

const apiKey = appState.user.organization.value.settings.publicKey || “”;
if (apiKey) {
builder.init(apiKey);
builder.apiVersion = “v3”;
}

This is an example for reading from builder.io but i also have cases where i am having the plugin use the admin graphql api to write content as well. So curios if there is a better way to do this.

Hello @jhs129,

You’re correct that exposing API keys (especially those with write access) within a plugin poses a significant security risk. Any user with access to the plugin could potentially misuse those credentials to modify or access content in unintended ways.

To clarify:

  • Public API Keys are intended for client-side, read-only access to published content. These are safe to expose and can be used in plugin settings when limited to fetching data.
  • Private API Keys, however, are required for write operations (such as using the Admin GraphQL API or updating content). These keys provide elevated privileges and must be kept secure — they should only be used in trusted, server-side environments and never exposed to the browser or plugin configuration accessible to users.

For scenarios where your plugin needs to read and write data:

  1. Client-side (Read-only):
    Continue using public API keys via the plugin for safe, read-only access.
  2. Server-side (Read/Write):
    For write operations or Admin GraphQL API usage, we strongly recommend routing these actions through a secure server-side service that:
    • Stores and uses the private API key securely (e.g., via environment variables)
    • Exposes only the required endpoints to your plugin
    • Validates and sanitizes input from the plugin to control access

This architecture keeps your private key protected while still enabling the functionality you need.

Best regards,

@manish-sharma I understand the security issues and hence why i wanted to try and leverage the permissions a user has been granted. for example, if a user is an admin in a space i want to enable the plugin for them otherwise restrict it. So is there a way to query the app state something like appState.user.organization.currentSpace.hasRole(“admin”)?

Hello @jhs129

Just checking in—would using appState.user.data be helpful in your case? This should return the details of the currently logged-in user.

Alternatively, you could consider using appState.contentEditorPage.usersOnline if you’re looking to access a list of users currently active in the editor.

Let me know if either of these approaches works for your use case, or if you’d like help exploring another option.

Best regards,