Best place for app wide constants and secret strings

Hey guys, i’m relatively new to phoenix and got a question according to api request authorization.
I have a simple local project and want to authorize requests with just a string. So i was trying to figure out where the best place for this secret string is in my app. What is best practice for placing fix constants app wide? Or can i put this string in the config and then refer to it in my authorization plug?

My plan looks something like this:

In the router.ex i would like to pass the string / secret to my plug, and then within the plug i check the request header for this string.

pipeline :api do
plug :accepts, [“json”]
plug TRACKITWeb.Plugs.VerifyRequests, “string” <- replace this with the importet constant / secret

Often something like this would come from the application config.

Out of the box, the “prod.exs” file generated in a new Phoenix project would look for a file called prod.secret.exs with the idea that you would put that secret file in place while you build the release (i.e. not checked in source control). You can get at that config information using Application.get_env()

The static config files may or may not work for you depending on how your release is built though.

In practice I’ve found that it is more convenient for us to pass this kind of configuration information into the production environment as an environment variable and use System.get_env() to get at it. This may be because of our build pipeline, however, which makes the environment variable thing “easy” while a prod.secret.exs file would have to be generated, and the app recompiled, for our separate staging, RC, and prod environments.


Hi Scott, thanks for your detailed answer. This helped me a lot!