Are Task IDs/Project IDs Secrets?


I’m working on an integration that makes frequent use of Asana task IDs and project IDs, and thus needs to store them in a configuration file. The project is open source, so its code is open to the world. If I store the configuration file in git, the task/project IDs will be available to anyone who wants to see them. Is this a security risk? Should I be protective of this information, and not store it unencrypted or in code? Or is it fine if task and project IDs are out in the wild?

Apologies if this was asked before, but I wasn’t able to find any mention of it.


Why don’t you git ignore them and add a fake configuration file instead?

Thanks for your response! To be clear, my question is not about the optimal method for handling configuration files, but specifically about whether task IDs and project IDs should be treated as secrets. With that said:

Why don’t you git ignore them and add a fake configuration file instead?

That is certainly a valid alternate approach, and one I am considering, but it adds complexity around the handling and deployment of the configuration files. If task/project IDs don’t need to be treated as privileged information, then this complexity is unnecessary, hence my question.

It should be generally safe to expose those IDs - without the appropriate security token (OAuth or Personal Access Token), having the IDs won’t do anyone any good in trying to access the underlying items.

Thanks for the clarification, you are right. I always considered them as not private, because there is no system in place at Asana (that I know of) to allow you to read something just because you have the ID.

Yeah, I mean technically they are safe to expose. The only counter-argument I can think of is that if you consider it as a “2 factor” type of situation in that in order to access an Asana object, you have to have both (1) the ID and (2) the authentication token, one could argue that exposing one of those two publicly takes away one of the two “factors” and means that a hacker would only need to have an auth token in order to access the object. But that still seems pretty remote (you’d have to have the exact right token which provides access to the specific ID, and how would you know that it was the right token for that ID other than trying it?).