alt Hacker NewsHello bob! the checksum is for secret scanning offline and also for rejecting api keys which might have a typo (niche case)
I just was confused regarding the JWT approach, since from the research I did I saw that it's supposed to be a unique string and thats it!
Replies
bob1029 • today at 9:34 AM
The neat thing about JWT is that there are no secrets to scan for. Your secret material ideally lives inside an HSM and never leaves. Scanning for these private keys is a waste of energy if they were generated inside the secure context.
➕ show 2 replies
arethuza • today at 9:16 AM
"for rejecting api keys which might have a type" - assuming that is meant by to be "typo" - won't they get rejected anyway?
➕ show 1 reply
I may be naive but I can't imagine anyone typing an api key by hand. Optimizing for it sounds like premature optimization, surely stopping the less than one in a million HTTP request with a hand-typed API key from reaching the db isn't worth anything