Comment by ZiiS
3 days ago
Unrestricted API keys were always secrets. They are created on a page called "Keys & Credentials". The fact that Google even allows unrestricted keys to be created has been a long standing security problem. The fact their docs encouraged it remains unforgivable.
Public keys are a thing in computing, though?
Google Maps has one, even. And Stripe.
It's been a while since I've used stripe but don't their keys start with sk_ for secret and pk_ for public?
I like that. Easy to tell if you should keep the key a secret or not.
They do, yeah.
(Although `pk` always freaks me out. Public or private?! Oh, right, the other one's "secret".)
3 replies →
I would like to restrict the term "Public keys" to refer to asymmetric encryption keys which can be made public without compromising security.
The only purpose of the keys Maps/Stripe encourage you to publicly put into your website is to guarantee it is talking to _your_ Google/Stripe account not someone else's. Obviously once you put them in your client they are of zero value in helping Google/Stripe identify you. The fact that Google allows you to use the same type of key they also use elsewhere to identify _you_ not _them_ was always incredibly bad design. Google already have the 'Project ID' which would have been the best thing to use.
I can maybe understand unrestricted keys (OK, I can't, to be honest).
But the fact that permissions are not hardened at time of creation is bonkers to me.