How to handle API keys (or any private information) needed by projects?

If one doesn't plan to share a project then the keys can just be part of a project.

One can store the keys in transient variables. Sharing is straight-forward and repeated use in a single session is fine. But entering the keys every time the project is loaded is awkward.

Or one can use the primitivedb_get(key) which requires the key to be entered only the first time it is used in that browser. But one should note that the key is stored in the browser's storage so this is not a good idea if on a shared computer (e.g. a school computer). I'm reluctant to share a project using db_get(key) since I don't know if people loading my project will know to be careful. Though perhaps a warning is enough. And maybe a fallback to transient variables if the user heeds the warning and refrains from storing their key in the browser's local storage.

The ideal solution is for one to be able to store things on the Snap! server that is accessible only if one is logged in. For the kinds of uses I'm imagining there can be a small limit to the size of stored items (maybe a few hundred bytes is enough). And the number of stored items can be restricted too. But this scheme works only if we can trust the Snap! server from being hacked.

An additional issue is that the user who enters a key either needs to trust the author of the project or needs to inspect the scripts to ensure that the keys aren't leaked. It is a good thing that Snap! doesn't allow one to hide scripts.

This sounds like a feature request, and it's a good idea. We could make it so the key never leaves the server, if we made a primitive block that forwards requests to the api's server... What does NetsBlox do about this issue?

That would make a lot of projects easier.