The settings API provides a great way to keep user or project settings or store state of your plugin.

For storing private data, such as login credentials and API keys, we recommend the following practices:

Never store plain text passwords, but use private keys or tokens instead. These can be scoped, revoked at a later time, and can have metadata like an issue date.
It's common industry practice to store private keys and tokens to disk. They can also be stored in the settings, or stored in an external service that is accessed via an API.
From a security standpoint it's best to use encryption or authentication to access the keys.

The persistent data API stores a JSON object in the database based on a unique api key. The api key is unique for each installation of your plugin. We use a SHA-1 hash that is uniquely assigned to your plugin when it's installed. This key is not revealed to other plugins directly, but it's important to realize that other third-party plugins run in the same client and can potentially gain access to this key..

To get access to the API initalize using the setAPIKey() method:

function main(options, imports, register) {
    // ...

    var plugin = new Plugin("Your Name", main.consumes);
    var api  = plugin.setAPIKey(options.apikey);

Storing Private Data

Similar to the settings you can store data in the context of the user and the project. The first argument takes the string user or workspace to determine that. The second argument is a JSON object with the data you'd like to store. On success the data is stored in our database

api.setPersistentData("user", { example: 123 }, function(err){
    // The data is stored
});

Retrieving Private Data

Retrieving the data you have stored works analogue to storing the data. Simply specify the context and the request will return the data you have stored.

api.getPersistentData("user", function(err, data){
    console.error(data.example === 123); // True!
});