from Hacker News

Ask HN: Has anyone adopted or seen adoption of RFC8959 secret-token?

by unilynx on 3/24/25, 8:55 PM with 2 comments

Has anyone seen adoption of the 'secret-token:' prefix to help prevent leakage of API secrets as described by RFC8959? Do API users understand its purpose and respond positively or negatively to it?

See also https://www.rfc-editor.org/rfc/rfc8959.txt and https://news.ycombinator.com/item?id=25978185

by finnigja on 3/25/25, 4:43 AM
That particular structure hasn't really taken off, but the general idea of having unique-ish token formats that can be mapped back to a provider is becoming more popular.
Trivy has a pretty good collection of examples that is used for its secret scanning functionality, https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/se....
by tptacek on 3/25/25, 2:08 AM
I don't think the idea is so much that API users understand its purpose so much as that repository hosts like Github can scan for it automatically. We don't use secret-token, but we do use a very identifiable fixed constant string prepended to our tokens, for similar reasons.