Copying and pasting secret API keys into your Val Town Environment Variables is annoying and error prone. Wouldn't it be nice if you could add an environment variable in one click? What could such a protocol look like for third-party API company to be able to safely pass their customer's API keys to their customer's Val Town account.

A naive approach to this would be a link that looks like this:

<a href="https://www.val.town/settings/environment-variables?name=OpenAI&value=sk-123...">
  Add OpenAI key to Val Town
</a>

However it isn't safe to put API key values in URLs like that, but it would be great if we could still put it in the URL so it can act like a simple link. We need to encrypt the API key in such a way that nobody can read it except for the Val Town app. Val Town could provide a public key for API providers to encrypt their tokens with.

We could add an extra layer of security by including the timestamp in the request as well as the Val Town username that the token is intended for. All that data should be included in the encrypted package. We can also ensure that each such link is used exactly once.

This scheme does feel a bit ad hoc though, so it'd be nice if there existed another protocol for doing this that we could use.