Shotgun script key security


Does anyone have any thoughts on the best way they have come up with to handle secure SG script keys for AMI’s built as custom protocol handlers? What I have done in the past was to set environment variables on the host machine which is running the cherrypy/flask server if the AMI is using https. But, how would you do it if you are using a CPH for the AMI?


The quickest way I can think of to keep a script key private when using a custom protocol handler would be to setup an API gateway.

Essentially, you could setup a web server, similar to how you would if using AMIs with HTTPS, but in this case you either:

  1. Have the server pass you back an API session token; or,
  2. Execute the desired code on the server, on the user’s behalf.

For example, if using Python, I’d probably setup a Flask server, then use the Requests library from the user’s machine to send execution requests to it.

Using an API gateway also allows you to log which users are sending which requests, should you be interested in that.

I’m sure there’s a few other ways that this could be done, but that’s what first comes to mind.