As a developer, I want the API-keys and various security tokens to be handled correctly

To request data from GitLab API, you must use an API token that identifies yourself. Send the key in the Authorization header in every request so that GitLab could authorize the request. Please note that this key is personal to your GitLab account. That means that the key should never be stored in a repository or shared with anyone (not even the teachers). The key should never be sent to the client.

There are several ways to authenticate your calls to GitLab, https://docs.gitlab.com/ee/api/README.html#authentication. The application must use Basic Authentication, and therefore you must create a "personal access token". You enable this key to work with issues and send it along with the correct header.

When you register a callback URL for the webhook, you should also define a secret token so that you can validate the received payloads sent to the application. This is also one thing to keep secret. You can solve this in a couple of ways. In this assignment, you should use environment variables. This way, you can read from your application's environment variables and add them when you start the application.