I've been learning Twilio Flex UI plugin development for about a week now, and my goal is to integration our CRM software into Flex UI using the plugin framework because native integration is not supported. I feel comfortable with the Twilio CLI, building plugins, and deploying basic plugins thanks to the helpful Twilio documentation. I'd now like to have my simple plugin pull data from my CRM using the CRM's API. I know you how to pass secrets in Flex plugins deployments when deploying with GitHub (see the Flex Project Template project) as I've successful deployed that, but I'd like to deploy plugins using the CLI. Additionally, I know I can't just store my API token in the Flex configure object because it's exposed to the client as described in this question/answer. The solution there is to use the JSON Web Token (JWT) and the twilio-flex-token-validator, but that seems to apply to Twilio functions. Does the same apply to external API and I just need to dig into that, or does securing an external API token require another method?
This question relates but it applies to Flex SSO tokens, which I'm not concerned with.
As described above, I've searched Stack Overflow for solutions, but haven't had a good idea to try.
Edit: After reading through the Twilio documentation again, I ended up using the Flex Configuration API to store the API key as an attribute as per the last part of this page. This is the same process as described in an answer to a similar question.
Here is what I have done to figure out how to securely make API calls from my Flex Plugins. Following the steps in https://www.twilio.com/docs/flex/developer/plugins/call-functions and make sure you secure it by using the JWT token you can generate inside of Flex.
On the backend in the Twilio functions, you can make an HTTP request to your CRM. When doing this, make sure you secure the request with a JWT. In your CRM, you can authenticate the incoming request and its JWT. When authenticated, you can return the data to your function which can be sent to your Flex instance.
Im going to assume you have access to your CRM's underlying code, you can store your Twilio account SID on that server and when you make your HTTP requests with JWT's you could sign them with your account sid. This is an easy 'Secret' to use as the signing since you have access to your account sid on the Twilio end.