By default, the Sentry auth token is added to source control in multiple ways:
- ./ios/sentry.properties and ./android/sentry.properties
- In our case, added to
fastfile in the upload_symbols_to_sentry step
The docs don't specify if the auth token should be treated more securely than the URL-esque key used in source code (which we put in an .ENV file although it will of course ship in the client).
It doesn't look like the CLI can do anything too destructive - only add, not delete, as far as I can see on a quick skim. So perhaps it's ok to have this auth token in source control.
But it would be I think valuable to have an explicit instruction both in the setup steps, and at this URL: https://sentry.io/settings/account/api/auth-tokens/ (That page also does not appear to give any guidance on how to treat this auth token.)
That way we'll all know what the best security practice is for these tokens.
Thanks for taking a look!
By default, the Sentry auth token is added to source control in multiple ways:
fastfilein theupload_symbols_to_sentrystepThe docs don't specify if the auth token should be treated more securely than the URL-esque key used in source code (which we put in an .ENV file although it will of course ship in the client).
It doesn't look like the CLI can do anything too destructive - only add, not delete, as far as I can see on a quick skim. So perhaps it's ok to have this auth token in source control.
But it would be I think valuable to have an explicit instruction both in the setup steps, and at this URL: https://sentry.io/settings/account/api/auth-tokens/ (That page also does not appear to give any guidance on how to treat this auth token.)
That way we'll all know what the best security practice is for these tokens.
Thanks for taking a look!