Password encryption/decryption in Collection


I have a Collection: Websites.
With Fields: WebsiteURL, Username, Password.

What is the best way to store third party credentials in Strapi?
I know there is a type called Password, but how do I decrypt password after storing it? Because I need it decrypted to use in Axios request for login on these websites.
I don’t want to store them in .env or something like this, as I also want to offer a possibility to update it periodically.


Thank you!

In your case using a regular string field with some custom lifecycle logic to encrypt/decrypt it (setting an encryption key in the .env or some secure location).

We don’t currently have any recommended solutions so it will need to be something custom for you to implement as needed. We have recently started moving all these secret storage to file based through the project (expecting them to be set in a .env)

alternatively if you are going custom you can handle the encryption and storage via the core_store:

1 Like


Indeed, thats a good solution, thank you!

So I made these steps to achieve the desired result:
-Added a secret key for encryption/decryption in .env
-Added encryption logic of raw password in create/update lifecycle.
-Added a custom method for decryption of password to use it in Axios requests when needed.

For encryption/decryption I used node’s crypto.

Thank you

just a side note. I know there are systems that have no oauth or anything else. Storing Passwords in other-way as hashes is still a bad practice in IT. Please be aware of it. Updating older systems to provide better authentication methods is recommended if possible ofc.

Yes, I know, but these websites are not maintained by me. These are just third party websites and they do not provide an API for connections.
So as a solution I made a bot based on puppeteer to emulate the login process on them. As it returns
JWT token after login and I use it for future requests, but the problems is that jwt expires in a few hours, so I need to repeat the login process by using the raw credentials.

Thanks for advice.