Where to store sensitive data/credentials for an app

I’m building a simple app for internal use, i.e. not shared. The App calls an external API endpoint which requires an API key. Also there is a staging and a production endpoint.

I have read about GobalConfig, but all the docs say do not store sensitive information here. There is no guidance on where to store sensitive data. Please can someone tell me where I store credentials for an external API and also how I can use something like environment variables to swap the stage/prod endpoint and stage/prod API key.

Welcome to the Airtable community!

Per this post, this post, and this post, Airtable stores credentials in global config.

Thanks, I went ahead with globalConfig and had to build a simple settings panel in to my app. It works nicely but it does mean all users of the app can edit these settings and potentially break something. Not sure if there is a more advanced way to restrict access. It works for now though.