Access_key and Secret_key confidentiality

This is certainly a stupid question, but I do not really understand the confidentiality arround the SECRET_KEY in the admin UI when we create a new API Key. Since we concatenate the 2 and just Base64 encode it, it’s very easy to retrieve the secret from the Basic header.

When I hear “SECRET” I think “signature”, but there’s no signature at all in this process? Or I miss something somewhere…

thank you.

The access key is public information that identifies the key and is shown in the UI, recorded with audit logs, etc. The secret key is “secret” in that it cannot be retrieved from the API after initial creation and should be protected in how you store and use it.

Signature-based auth is complicated and error-prone to implement and and complicated and error-prone for consumers to use, effectively requiring libraries for every language. (consider: Amazon is on version 4 of their algorithm, because they got it wrong 3 times before.)

For any non-trivial installation you should be doing SSL termination (and in 2.0 it’s required and on by default). HTTP Basic auth over SSL is simple and effective and works with curl.