Author of the article here - look forward to any discussion here. Curious how many folks have already implemented something like this themselves... did you make different decisions?
Yeah, some folks might consider going further and use hashes that salted or one-way encrypted via key so that nobody else can recreate the checksum. Some performance tradeoffs but can prevent some other vectors like cache-filling etc.
Regarding retrievable vs. irretrievable, I think is a matter of who do you delegate the ownership of the security. Using Irretrievable, you are transferring that to your users, which in a lot of scenarios just store them in plain text in non secure places.
I think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.
Never thought of it that way, and honestly this is so correct. Some of my PATs are stored in Apple Notes because I need them every so often. I guess I could use something like 1Password to store them securely but it's just another transfer of ownership and trust.
Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).
6 comments
[ 3.2 ms ] story [ 25.3 ms ] threadI think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.
Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).