I just submitted my first Freshdesk app for review and have two questions.
The automated security scan found a hard-coded secret. That is true, and it is in fact on purpose. The reason here is that I’m providing a managed API key to connect to an AI agent which should NOT be known by the customer using the app. Is there a better way to store this credential, without exposing it to the customer but satisfying for the security check?
I implemented tiered pricing levels but was not able to configure those anywhere on Freshdesk’s side. How do I set different pricing levels depending on the tier selected in the app config screen?
For the automated security scan rejected, kindly share your app ID and I shall check and update you on the received submission. Once confirmed, you may resubmit the app
For the tiered pricing, it is currently not supported.
@tmsvl , when developing an app, configuring credentials such as tokens and API keys is often necessary. The app settings functionality allows you to provide runtime data for these credentials without hard-coding them into the app’s code.
More on App Settings in the link below.
The reason the key is hard-coded here is that the key is the same for all installations, and should not be visible to the Freshdesk tenant admin. It’s a ‘managed key’ from our side.
@tmsvl , the tokens you will be storing in App Settings will only be accessible by you; not the tenant admins and definitely not the agents on Freshdesk. You even get to rotate the keys without having to change your app code.
These credentials are defined as environment variables within the app code, and their values are set on the app details page when submitting the app to the Freshworks Developer portal. If any updates to the credential values are required after submitting the app to the Freshworks Marketplace, you can make these changes directly on the app details page. The updated credentials values are then applied to all existing versions of the app that use the app settings functionality.
From code I can see you have 3 hardcoded values at this point in server.js. all three can be converted to Developer App settings and be managed via Developer portal with help of onSettingsUpdate. The developer settings are more like credential store for developers managed at app level.
By doing so, you can control these externally without having to update app each time you wish to perform actions such as rotating keys, updating model selection, etc.
I have also notified the developer to fix the content and release to avoid such confusion and have feature parity with the content.
I sincerely apologise for the inconvenience and the misinformation. Will ensure to add product review as part of content rollout.
From the submission I see you have chosen per agent pricing. That is supported.
We only support two types for now, account level pricing, that is flat pricing per installation. Second being agent level pricing, which is per seat option, which you have chosen.
The additional pricing plans and options are there in the roadmap but not in the near future.
All right, thanks for pointing me in the direction of the developer app settings, that’s updated now. Too bad for the tiered pricings, for now I’ll just publish two variants of the app then. Have a nice day!