Generate MLS keys with a known signature

Question

Generate MLS keys with a known signature

Closed this issue 2 months ago · 0 comments

@Micheletto suggested in the monthly MLS meeting that if we prefix MLS API keys with a signature, we would be able to detect if they are checked into repositories. He may have mentioned a project that allows you to specify the format of your secret, for detection purposes.

Currently, we use UUIDs for generating keys, such as:

bdd3664f-bb65-4ac9-a334-bf16b2d89954

We could add a prefix:

mls-apikey-bdd3664f-bb65-4ac9-a334-bf16b2d89954

It may not make a huge difference with the existing APIs, which follow the Google location API's lead and pass the key with each request. We may want to implement this for new APIs, where the key is not sent in plaintext.