Google Apps Script
Library Security Guide
Best Practices
The Concept
Implementation
When distributing a Google Apps Script Library, your source code is typically visible to anyone who installs it. This creates a risk for sensitive logic or proprietary algorithms.
The Vulnerability
If you use Script Properties in the global scope (top-level), any user can access them. Furthermore, standard library code can be inspected via the script editor debugger or simply by making a copy.
The Solution
Store your core logic as a string inside Script Properties. Then, use a wrapper function to fetch and execute that string dynamically using
eval(). This keeps the logic hidden from the immediate view of the library consumer.
Hidden Scope
Code inside functions is harder to scrape than top-level variables.
Properties
Use PropertiesService to store sensitive strings or keys.
Method 1: Direct Execution
This method fetches the code string from properties and executes it immediately.
function code() {
eval(PropertiesService.getScriptProperties().getProperty('code'));
}
Method 2: Returning Values
If your hidden code calculates a value (like an API key or token), use this pattern to return it securely.
function code() {
eval(PropertiesService.getScriptProperties().getProperty('code'));
return val;
}
How to Set the Property
You need to run this once in your script to save the code string.
// Run this once to save the code
PropertiesService.getScriptProperties().setProperty('code', 'var val = "SECRET_KEY_123";');
Note: Using eval() should be done with caution. Ensure the stored code is trusted.
Copy Snippets
Open Editor
×
0 Comments