Shortcuts on iOS can do incredibly powerful things, and with a little bit of extra magic you can connect to most API’s as well. Pulling data from API’s, manipulating it, and extending your shortcuts is really powerful. However, you need to have a good way to manage the authentication tokens and secrets for those APIs.
Most Shortcuts I have seen use a Text variable and put the token in that variable. It’s then used throughout the Shortcut. This works, but it exposes problems if you share that Shortcut. It also has issues if you use the same API in multiple Shortcuts. You are now copying that token in numerous places.
Another approach that I prefer is to create Shortcuts that do nothing but return those tokens. You can then call those Shortcuts from another Shortcut to get the token. I prefix these Shortcuts with the prefix “Secret”.
Then when I need to use an token for an API I call the Shortcut and then reference the magic variable returned from it. You can even hide the execution of that second Shortcut.
In addition to reuse, you also get other benefits from this approach. Your Secret Shortcut can have some logic. For example, I access Working Copy from Shortcuts and it does so with a local URL call, protected with a random key. That key is specific to each iOS device. So, rather than try to synchronize the keys I have the Secret shortcut return whatever key is right for the device that is running.
I do a similar thing with MailChimp’s API token that requires some encoding be applied to it.
I find this a better way to manage these secret tokens, get reuse, and make it easier to change them. 👍