I built simple shinyapp that download tweets from a particular account and display some simple statistics and graphs (sentiment analysis, word clouds, etc.). I used the rtweet package. I would like to publish it at https://www.shinyapps.io/. The app works as intended locally using twitter auth token saved as a global environment.
How should I safely authorize my app publishing it online? Hardcoding my API keys into the script feels a terrible idea.
You could use library(secret) and add your API key to a vault. In your shiny application you add a field where your privat key needs to be provided and with this key you can get the API key from the vault.
Alternatively, you can add a field in your APP where the api key needs to be entered directly.
I found the answers I needed using these two instructions together:
This allowed me to publish the app to shinyapps.io without hardcoding any secret information into the app. Instead I used the functions rtweet::rtweet_app and rtweet::auth_app like this at the top of the server.R file:
app <- rtweet::rtweet_app(bearer_token = Sys.getenv("MY_BEARER_TOKEN"))
rtweet::auth_as(app)
The part saying Sys.getenv("MY_BEARER_TOKEN") retrieves the token from an environmental variable that you store according to recipe 2 above (the bearer token that you need to put in that .Renviron file is gotten from the Twitter developer platform and your app project there). The only thing to note regarding the recipe in link 2 above is that you should not store the .Renviron file locally at your computer but in the app that you publish to shinyapps.io, (as commented by the user Erik Iverson: "This worked for me after creating a copy of my .Renviron file in the root directory of my Shiny application").
