Unrestricted API keys were always secrets. They are created on a page called "Ke...

ceejayoz · 2026-02-26T11:22:18 1772104938

Public keys are a thing in computing, though?

Google Maps has one, even. And Stripe.

abustamam · 2026-02-26T13:45:04 1772113504

It's been a while since I've used stripe but don't their keys start with sk_ for secret and pk_ for public?

I like that. Easy to tell if you should keep the key a secret or not.

ceejayoz · 2026-02-26T14:23:01 1772115781

They do, yeah.

(Although `pk` always freaks me out. Public or private?! Oh, right, the other one's "secret".)

ZiiS · 2026-02-26T15:05:39 1772118339

Or is `sk` shared key and `pk` private key...

abustamam · 2026-02-27T20:03:50 1772222630

OK now I'm rethinking my life

johanyc · 2026-02-26T22:41:56 1772145716

Honestly we should just always call them public and secret key to avoid confusion

ZiiS · 2026-02-26T15:03:18 1772118198

I would like to restrict the term "Public keys" to refer to asymmetric encryption keys which can be made public without compromising security.

The only purpose of the keys Maps/Stripe encourage you to publicly put into your website is to guarantee it is talking to _your_ Google/Stripe account not someone else's. Obviously once you put them in your client they are of zero value in helping Google/Stripe identify you. The fact that Google allows you to use the same type of key they also use elsewhere to identify _you_ not _them_ was always incredibly bad design. Google already have the 'Project ID' which would have been the best thing to use.

abustamam · 2026-02-26T13:48:08 1772113688

I can maybe understand unrestricted keys (OK, I can't, to be honest).

But the fact that permissions are not hardened at time of creation is bonkers to me.