But nobody says why the APIs require both, and many APIs only give you one secret! I've also never seen any API's docs explain why they have two keys, so the best I can do is speculate. It's a public-private key pair that they give confusing names to. There are answers explaining what the secret and (public) key is. I just wanted to get this out there as another discussion point. I have seen this implemented on many websites when getting keys issued.Īlso, I invite any actual security experts to critique this answer. Of these, I think that 3 is the best balance of security and convenience. Can be shown to the user again, but at the cost of having keys vulnerable if they system is compromised. Use a single key, show it to the user once, encrypt it, and do a normal lookup of the encrypted secret.Has the benefit of keeping keys secure if the system is compromised. This uses a single key, but it is not able to be shown to the user again. Use a single key, show it to the user once, hash it, then do a normal lookup of the hashed or encrypted key.It has the downside that you cannot show the secret to the user again. This removes the necessity to use two-way encryption, and has the added benefit of keeping your secret secure if the system is compromised.
0 Comments
Leave a Reply. |