Example: I have an applications that needs to access an API providing an authentication token

myApi = MyApi(token=my_private_sensible_token)

I want to avoid having that private token in a configuration file that is part of the project.

One solution that comes to mind is to isolate interaction with this service in a separate proxy application that is maintained by a restricted number of authorised people. App-engine allows to protect handlers with authentication and I could easily, in the proxy, allow only calls coming from an authorised app-engine consumer application.

Different solutions I can think of, at certain point all make this private token available in the consumer application memory, this could allow a malicious user (that maintains the consumer) to write an handler that prints out this secret token that in some fancy way the application has retrieved.

Do you have better suggestions?

Another possible approach is to have 2 copies of the app (actually 2 different apps which happen to have the same code), each with their own app_ID, config file(s), etc:

• one for development/staging, accessible by the larger development team
• one for production - (possibly cloned/forked from the same SCM repo, maybe a private branch?) only accessible by the trusted devs and with the contents of the config file overwritten/updated for production deployment

Such setup can offer additional benefits besides just restricting access to production credentials, for example:

• ability to use a CI system which includes automatic deployment on a very close to production environment
• tighter control to production deployments