Ways to store external API keys?

If I were to work on an integration app where I have to apply for an API key for it, I cannot just check in the key to the GitHub project as that would most likely violate the ToS and probably invalidate the key.

Is there someplace I can store these keys securely? Since Athom publishes the apps directly from GitHub there is no intermediate step, right?

I am fully aware that storing secrets so they can be read (decrypted) on the end user device is not fool-proof, but this is not my point as keeping them out of hands of rooted Homeys (do they exist?) is (I believe) beyond what’s expected of me.

You can add environmental variables into the app store when you add your app in the app store.

See: https://apps.developer.athom.com/tutorial-App%20Store.html

When submitting your app, you can enter the variables during the submission process.

There are no rooted Homey’s, bootloader is not reachable by us mere mortals

They do state it is not 100% safe (only 99.9%), but what is when talking about the internet.

I saw that but I never figured out where to enter the actual data. I’ll give it another shot then.