[calrain]

I don't like giving away any information what-so-ever in an API key, and would lean towards a UUIDv7 string, just trying to avoid collisions.

Even the random hex with checksum component seems overkill to me, either the API key is correct or it isn't.

[andrus]

GitHub introduced checksums to their tokens to aid offline secret scanning. AFAIK it’s mostly an optimization for that use case. But the checksums also mean you can reveal a token’s prefix and suffix to show a partially redacted token, which has its benefits.

[sneak]

Identifying an opaque value is useful for security analysis. You can use regex to see when they are committed to repos accidentally, for example.