How to store API_KEY for HTTP Outcall

I read the article below.

Is this issue still open?

I need to call authenticated outbound requests.


Hi @yasuo, unfortunately, this has not been resolved yet.


Hi @yasuo, I asked around a bit and it seems like the ongoing effort for SEV-SNP support is making progress. I guess it will take some time until we see application subnets with all nodes running from within a secure enclave, but once we are there, it will be possible to make outcalls without exposing API keys.
But a little disclaimer: SEV-SNP is not a magic solution. It has some known vulnerabilities and more may be discovered. Developers should be careful and mindful with what they use it for.


I can’t wait for SEV-SNP support.

Hello all, still no solution on the APIs KEY storage (like SEV-SN)? Any forecast?

Not yet, sorry. SEV-SNP support is under development with many people working on it, but it is not ready yet.

1 Like

No reason for be sorry. Let’s keep building. thanks for the answer.

The other side of this would be to start working on creating an standard for API endpoints that take the signature of a key instead of just a key. This would allow canisters to use t-ecdsa to sign the (key + requestbody) and for the API to trust that it came from a canister.

Of course this is quite a hill to climb to get service providers to accept this as well as an API secret, but I’d imagine there are some existing solutions like this…and maybe even a standard out there…already.