Is storing an API secret in a Hidden Page's field recommended ?

[protro]

In my case I created a custom Page class, which hooks to the Pages::saveReady method.

Let's say I query an API that needs authentication with a secret key, is it safe to call for example $pages->get('name=api')->secret from within a function that gets triggered when a user logged into the backend triggers a page save ?

[cwsoft]

Hi,

if it‘s save depends on your setup and user permissions. The secret would be contained in the PHP file and on save in the PW database and may find it‘s way into Github or server/user backups some time. If users have access to FTP they can extract the secret from files on your server. Users with access to templates fields may add a template exposing your secret using your API etc. So I would say it depends on your setup and use case.