| ▲ | calrain 2 days ago | |
I don't like giving away any information what-so-ever in an API key, and would lean towards a UUIDv7 string, just trying to avoid collisions. Even the random hex with checksum component seems overkill to me, either the API key is correct or it isn't. | ||
| ▲ | andrus 2 days ago | parent | next [-] | |
GitHub introduced checksums to their tokens to aid offline secret scanning. AFAIK it’s mostly an optimization for that use case. But the checksums also mean you can reveal a token’s prefix and suffix to show a partially redacted token, which has its benefits. | ||
| ▲ | sneak 2 days ago | parent | prev [-] | |
Identifying an opaque value is useful for security analysis. You can use regex to see when they are committed to repos accidentally, for example. | ||