Hi all - in my SuiteApp, I have a use case where I want to display a form inside NetSuite to the user, have them input their private API key to my external service, store the API key securely and later use it to authenticate API calls that the SuiteApp makes to the external service. I found this article: https://blogs.oracle.com/developers/post/managing-suiteapp-api-secrets, which is about this. In particular, it has a section "Collecting Credentials Through a Custom Form with Enhanced Security" in which it says:

For example, credentials entered by a user in a form field created with Form.addCredentialField can be encrypted server-side using a key generated by https.createSecretKey. This encrypted data is then securely stored within NetSuite, for instance, in a custom record or another secure storage mechanism. When the need arises to use these credentials, https.createSecureString can be employed to decrypt them safely, maintaining the integrity and confidentiality of the sensitive data.

Now, I know: • How to create a

form.addCredentialField()

field in a form (explained here). • How on form submission get the GUID of the value input (explained there too). • How using the GUID call

https.createSecureString()

and send it off (explained there too). But it's not clear to me: • What am I supposed to store in the custom record? The GUID? Some encrypted value obtained from the GUID? Both? • If it's the GUID, why does the author mention

https.createSecretKey()

at all? Also, if it's the GUID, is this safe enough? Can anything but the scripts authorized by `form.addCredentialField()`'s

restrictToScriptIds

option get at the underlying plain text value? • If

https.createSecretKey()

is important in this setup for security reasons, could someone explain why and how to use? Many thanks!

the normal is to store the guid in plaintext somewhere for later use

Thank you! All clear now. I have to admit using API Secrets or this

form.addCredentialField()

is made so difficult by the lack of good documentation... That blog article helps somewhat but is also convoluted and clearly on occasion leads one to believe there's more to be done than there is.