Hacker News new | ask | show | jobs
by vjay15 58 days ago
Hello bob! the checksum is for secret scanning offline and also for rejecting api keys which might have a typo (niche case)

I just was confused regarding the JWT approach, since from the research I did I saw that it's supposed to be a unique string and thats it!
3 comments
petterroea 58 days ago
I may be naive but I can't imagine anyone typing an api key by hand. Optimizing for it sounds like premature optimization, surely stopping the less than one in a million HTTP request with a hand-typed API key from reaching the db isn't worth anything
link
vjay15 58 days ago
if not for typo, then I can use for secret scanning then :)
link
petterroea 58 days ago
Good point!
link
bob1029 58 days ago
The neat thing about JWT is that there are no secrets to scan for. Your secret material ideally lives inside an HSM and never leaves. Scanning for these private keys is a waste of energy if they were generated inside the secure context.
link
agwa 57 days ago
But JWTs are usually used as bearer tokens when doing API authentication. Those are definitely secrets that need to be scanned for.

Or are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common?

link
bob1029 57 days ago
> are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common?

Very. The thing that certifies the public key is called a JWK.

https://datatracker.ietf.org/doc/html/rfc7517

This is typically hosted at a special URL that enables seamless key rotation and discovery.

https://auth0.com/docs/secure/tokens/json-web-tokens/json-we...

link
mattacular 57 days ago
That's how JWT is designed to work
link
vjay15 58 days ago
Ideally API key shouldn't contain anything regarding the account or any info right? it's meant to be an opaque string, is what I found in most of the other articles I read. Please do let me know if I am wrong about this assumption
link
ijustlovemath 57 days ago
JWT operates on a different principle; the user's private key (API key) never leaves the user's device. Instead, the stated "role" and other JSON data are signed with the servers pubkey, then verified by the server using its master key, granting the permissions that role allows.
link
miningape 57 days ago
Look at the JWT standard, it usually contains things like claims, roles, user ids, etc.
link
arethuza 58 days ago
"for rejecting api keys which might have a type" - assuming that is meant by to be "typo" - won't they get rejected anyway?
link
vjay15 58 days ago
it's just an added benefit, I don't have to make a DB call to verify that :)
link