So I understand this correctly…this is not triggering BigFix things via API, but an action that runs on the endpoint to trigger some other vendor’s API to do a thing?
Is the API a REST API? What language are you using to send the API commands, and what kind of credential storage is allowed based on that client & server?
If the thing is Kerberized, you may be able to use the machine’s kerberos identity to authenticate & send the API command. I’m guessing it’s not that clean though and you need to store & pass a password for this API?
For my Python scripts, I’m becoming a fan of the ‘keyring’ module. It stores credentials with varying levels of security though so if you use it, be sure to check which backend it’s using. On Windows it uses Windows Credential Manager; on Linux and Mac it varies based on whether it can find a dbus back-end (i.e. a graphical logon session), and in worst-case it may be in trivially encoded files.
Security-wise, there is very little difference between ‘store the key as a fixed parameter’, ‘store the key as a fixed parameter, and the fixlet in a very limited site’, or ‘store the key in a prefetch’. Those may limit who can find the fixlet in the Console, but a client (or a browser pretending to be a client) could still download & read all of the fixlet content, including the prefetch commands and trigger prefetch download commands to obtain the file. The attack surface on that can be reduced somewhat by Relay Authentication but it’s still a pretty serious risk.
What’s the exposure/impact if this password/api key are leaked? Can you limit the exposure, maybe by creating an application to proxy requests to the API, limit the credentials storage to this proxy application, and limit which things the application will ask the tool to do on a client’s behalf?
Otherwise, I’d probably look at pre-sharing the API key to the client (either outside of BigFix entirely, or with a one-time Secure Parameter action to the clients involved), and then reference that stored password when you trigger the API commands. Python Keyring may be an option for storing the password on endpoints, or you might look into Vault. I think Gary Louw has talked some about using Vault in the context of MDM or the Plugin Portal, I’ll ping him on this.