Imagine you have an API key that allows access to a machine learning service. Why should you change (rotate) this key regularly?
Think about what happens if someone else gets your key.
Rotating API keys regularly helps prevent unauthorized access if a key is leaked or stolen. It limits the time a compromised key can be used.
Consider this Python code that checks if an API key is valid by length and prefix:
def is_valid_key(key):
return key.startswith('sk-') and len(key) == 32
print(is_valid_key('sk-12345678901234567890123456789'))
print(is_valid_key('pk-12345678901234567890123456789'))
print(is_valid_key('sk-12345'))What will be printed?
Check the prefix and length conditions carefully.
The first key starts with 'sk-' and has length 32, so True. The second key starts with 'pk-', so False. The third key starts with 'sk-' but length is less than 32, so False.
You deployed a machine learning model that calls an external API. Which method is safest to store the API key?
Think about who can access the stored key in each method.
Environment variables on the server keep the key hidden from users and source code, reducing risk. Hardcoding or public repos expose the key. Client-side code exposes it to anyone using the app.
Some API keys can be set to expire quickly (e.g., every 5 minutes). What is a likely effect of this setting?
Think about trade-offs between security and usability.
Short expiration improves security by limiting how long a stolen key works but may cause frequent re-authentication, leading to interruptions.
Look at this Python code snippet that should check if an API key is valid:
def check_key(key):
if key == 'sk-1234567890abcdef1234567890abcdef':
return True
else:
return False
print(check_key('sk-1234567890abcdef1234567890abcdef '))Why does the function return False even though the printed key looks the same?
Check for invisible characters like spaces.
The input key has an extra space at the end, so the equality check fails. Strings must match exactly including spaces.