Forum Discussion

mfoster711's avatar
mfoster711
Regular Contributor
2 months ago

API Tokens, Passwords - Storing and Retrieving

How do you store and retrieve API Tokens and the various passwords that you might use with your automated testing?

I am trying to be a little more security conscious. With this in mind, you shouldn't be storing tokens and passwords in plain text in your scripts. I have read suggestions to use Windows Environment Variables but I don't see how this is really any more secure on the PC. 

My automation PCs all run scripts overnight to test various Desktop applications and WEB applications. These PCs must automatically sign on to Windows and start TestComplete to run my scripts. At this point, the PCs are "unsecured" because anybody can walk up and access the PC and view any script code or Windows Environment Variable.

So, how do you safely store this information. I thought about use TestComplete project variables but it only works when using Keys or SetText commands which will not work with Web api calls.

4 Replies

  • Hassan_Ballan's avatar
    Hassan_Ballan
    Icon for Champion Level 3 rankChampion Level 3
    2 months ago

    To use passwords or tokens in TestComplete, here are a few secure ways to manage them depending on your setup:

    1. Windows Credential Manager
    It's built into Windows, free, and easy to use. You can store credentials manually or via command line:

    cmdkey /add:MyService /user:APIUser /pass:SuperSecret123

    Then retrieve it from your TestComplete script:

    function GetCredential(targetName) {
  var wsh = new ActiveXObject("WScript.Shell");
  var cmd = 'powershell -Command "(Get-StoredCredential -Target \'' + targetName + '\').Password"';
  var exec = wsh.Exec(cmd);
  var token = exec.StdOut.ReadAll().trim();
  return token;
}

function Test_API_Call() {
  var token = GetCredential("MyService");
  var request = aqHttp.CreatePostRequest("https://api.example.com/data");
  request.SetHeader("Authorization", "Bearer " + token);
  var response = request.Send();
  Log.Message("Status: " + response.StatusCode);
}

    2. String project variables 
    Store an encrypted or encoded value in a regular String variable and decrypt it in code before use:

    const encoded = Project.Variables.ApiToken; 
const token = decrypt(encoded); // implement your own decryption

    3. Command-line variables
    Pass the token to TestComplete or TestExecute when launching command line:

    TestExecute.exe "MyProject.pjs" /p:MyProject /u:MyTest /var:ApiToken=MySecret

    Then access it in your script with Project.Variables.ApiToken.

    🤖 AI-assisted response
    👍 Found it helpful? Click Like
    ✅ Issue resolved? Click Mark as Solution

    • mfoster711's avatar
      mfoster711
      Regular Contributor
      31 days ago

      I am trying to understand SessionCreator, I have never used it. Does it allow me to run scripts on a computer WITHOUT having to sign on to that computer? 

      • rraghvani's avatar
        rraghvani
        Icon for Champion Level 3 rankChampion Level 3
        31 days ago

        Have a read through Running Tests via Remote Desktop, and the sub topics in Running Tests to get a rough idea.

        As I do web testing, it's required to have a GUI (as opposed to headless web testing) so I have a specific user that's automatically signed in, into the VM. The VM has TestExecute installed. I use SessionCreator to launch and run the automation, via PowerShell script. I can call the PowerShell script from my local machine, to run the automation. Once the automation has completed, within the PowerShell script, it performs the necessary clean up and then sends the automated test results to the testing team, which is similar to the Summary Report.

        We have "fake users" that log into the web application, so the testing teams credentials  are not used or exposed within the automation scripts. Also, the testing team can log into the VM using the specific account.