|
|
|
|
|
|
by remram
530 days ago
|
|
|
I use URLs as API keys, so they are self-descriptive (links to a page that tells you what it is/what service it's for) and self-revocable (there's a button, no need to post it to a GitHub repo to have them revoke it for you with their secret scanner [1]). I bring this up a lot [2] but I do think there is value in being able to tell if something is a secret and tell where to go to revoke it if found. Most current API keys use some sort of prefix at least (AWS, SendGrid, GitHub, etc). [1]: https://docs.github.com/en/code-security/secret-scanning/int... [2]: https://news.ycombinator.com/item?id=28296864 |
|
|