Generate MLS keys with a known signature
Closed this issue · 0 comments
jwhitlock commented
@Micheletto suggested in the monthly MLS meeting that if we prefix MLS API keys with a signature, we would be able to detect if they are checked into repositories. He may have mentioned a project that allows you to specify the format of your secret, for detection purposes.
Currently, we use UUIDs for generating keys, such as:
bdd3664f-bb65-4ac9-a334-bf16b2d89954
We could add a prefix:
mls-apikey-bdd3664f-bb65-4ac9-a334-bf16b2d89954
It may not make a huge difference with the existing APIs, which follow the Google location API's lead and pass the key with each request. We may want to implement this for new APIs, where the key is not sent in plaintext.