[richbradshaw]

It's common (for novices/experts who are in a rush ) to accidentally commit AWS keys for dev environments, or other API keys (e.g. Mailchimp) or other secrets (2FA, SAML certs etc).

We all know how to do it right, but particularly early on in a project it's easy to test something with a hardcoded API key, then forget and commit it.

Picking a framework that makes this a less obvious choice (e.g using a .env file that's already in gitignore by default) helps a lot here.

[bob1029]

So, what's to prevent a developer from also skipping over proper application of this hypothetical URI scheme if they are in a such rush? It seems like this is a similar level of pedantry that would be disregarded if one were in a hurry.

[jefftk]

AWS, for example, could start issuing their tokens with this prefix. The hypothetical inexperienced/rushed developer is a consumer of the service, not an issuer of tokens.

[richbradshaw]

The idea is that people issuing tokens (e.g. AWS, Mailchimp etc) in my example would follow this.

This would then allow other tools (e.g. git, GitHub, pre commit linters, frameworks) to flag this as a problem, either with a warning or an error, depending on the tool.

The idea is that then the novice/rushing expert is prevented from this easy to make mistake.

[jlokier]

Cloud services and other third party software starting to generate and require bearer tokens in this format.

It will be easiest for developers in a hurry or without knowledge to simply copy and paste these third party strings.

(Pedantry is only required when writing their own software to generate bearer tokens, not even using a library or framework, and developers rarely do that, especially the kinds of things written in a rush.)