alt Hacker NewsI don't like giving away any information what-so-ever in an API key, and would lean towards a UUIDv7 string, just trying to avoid collisions.
Even the random hex with checksum component seems overkill to me, either the API key is correct or it isn't.
Replies
sneak • today at 9:42 AM
Identifying an opaque value is useful for security analysis. You can use regex to see when they are committed to repos accidentally, for example.
GitHub introduced checksums to their tokens to aid offline secret scanning. AFAIK it’s mostly an optimization for that use case. But the checksums also mean you can reveal a token’s prefix and suffix to show a partially redacted token, which has its benefits.