How to store API_KEY for HTTP Outcall

I read the article below.

Is this issue still open?

I need to call authenticated outbound requests.

3 Likes

Hi @yasuo, unfortunately, this has not been resolved yet.

2 Likes

Hi @yasuo, I asked around a bit and it seems like the ongoing effort for SEV-SNP support is making progress. I guess it will take some time until we see application subnets with all nodes running from within a secure enclave, but once we are there, it will be possible to make outcalls without exposing API keys.
But a little disclaimer: SEV-SNP is not a magic solution. It has some known vulnerabilities and more may be discovered. Developers should be careful and mindful with what they use it for.

5 Likes

I can’t wait for SEV-SNP support.

Hello all, still no solution on the APIs KEY storage (like SEV-SN)? Any forecast?

Not yet, sorry. SEV-SNP support is under development with many people working on it, but it is not ready yet.

1 Like

No reason for be sorry. Let’s keep building. thanks for the answer.

The other side of this would be to start working on creating an standard for API endpoints that take the signature of a key instead of just a key. This would allow canisters to use t-ecdsa to sign the (key + requestbody) and for the API to trust that it came from a canister.

Of course this is quite a hill to climb to get service providers to accept this as well as an API secret, but I’d imagine there are some existing solutions like this…and maybe even a standard out there…already.

2 Likes

hi yotam, any update in this regard? possible to see SEV-SNP progress without slack?

Hi Xalkan

Right now the teams working on SEV-SNP are focused on how to use this technology for HTTP gateways, so it will take quite some time before replica will be able to use it (AMD SEV Virtual Machine Support - #46 by raymondk). There is not ETA known at the moment.

1 Like

Thank you @yvonneanne - where can I find more info on HTTP gateways? It would be great to know your opinion about API keys.

Hi @xalkan
Maybe Boundary Node Roadmap will answer questions you might have on HTTP Gateways?
Note that the gateways won’t solve the problem that API keys could be read by node providers.

Until a solution is available, I’d personally accept the risk (nothing of high value should be controlled with an API key only, therefore I don’t consider an API key leak a big threat) and use an approach like GitHub - internet-computer-protocol/evm-rpc-canister: Interact with EVM blockchains from the Internet Computer. to inject them.

1 Like