
**Secrets should not be stored in the extension code** but should be handled via the [extension settings](/awell-extensions/docs/getting-started/extension-settings).

## Example

Imagine you are building an extension with a 3rd party. As is common in many applications, your extension might require authentication with the third-party API. However, you want to ensure that users who install the extension can easily configure their own API key without hardcoding it into the extension's code or relying on environment variables.

To achieve this, you can use the extension settings to provide a user-friendly way for extension users to set their API key during the installation process.

### Extension settings

```typescript
// Define extension settings
const mySettings = {
  apiKey: {
    label: 'API Key',
    key: 'apiKey',
    obfuscated: true, // set this to true when settings store sensitive data
    required: true,
  },
} satisfies Record<string, Setting>

// Export extension with settings
const yourExtension: Extension = {
  ...,
  settings: mySettings,
}
```

### Accessing settings values

The extension settings are accessible from within any part of your extension's code (e.g. when writing a custom action), enabling you to retrieve the user's provided value for the secret/setting.

```typescript
export const yourCustomAction: Action<typeof fields, typeof settings> = {
  ...,
  onActivityCreated: async (payload, onComplete) => {
    // Fetch the settings
    const { settings } = payload

    console.log('API Key inserted by the user: ' + settings.apiKey)

    // Handle the action

    await onComplete()
  },
}
```


Learn how to handle secrets and sensitive data