Ask HN: Has anyone adopted or seen adoption of RFC8959 secret-token?
5 points by unilynx 3 months ago | 2 commentsHas anyone seen adoption of the 'secret-token:' prefix to help prevent leakage of API secrets as described by RFC8959? Do API users understand its purpose and respond positively or negatively to it?
See also https://www.rfc-editor.org/rfc/rfc8959.txt and https://news.ycombinator.com/item?id=25978185
- finnigja 3 months agoThat particular structure hasn't really taken off, but the general idea of having unique-ish token formats that can be mapped back to a provider is becoming more popular.
Trivy has a pretty good collection of examples that is used for its secret scanning functionality, https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/se....
- tptacek 3 months agoI don't think the idea is so much that API users understand its purpose so much as that repository hosts like Github can scan for it automatically. We don't use secret-token, but we do use a very identifiable fixed constant string prepended to our tokens, for similar reasons.