http.StatusBadGateway? This should be unauthorized, no?

This error has a detail that specifies the length must be 64, and I thought it felt more like a 400 in that regard.

omg I meantStatusBadRequest...

64 is probably longer than we need if we are using alpha (lower & upper) + numbers. When we using hex strings, technically they are case insensitive, so you only get 16 options vs the now 62 (26 lower, 26 upper, 10 numeric)

You only need ~43 characters to match the same search space as 64 hex characters. We only use22 characters for our api keys (I bet we copied someone else here).

It does not really matter, but if we are shortening our keys, we can at least shorten them to 43 and keep the same level of security as 64 hex characters. Which is super common.

16^64 = 1.157920e+7762^43 = 1.182613e+77log(16^64)/log(62) = 42.9948 <-- basically 43

Thoughts on going even shorter? 64 is such an excessive level of security.

Of course, I was leaning on better safe than sorry but let's go short - 32 sound good?

32 is ~190 bits of entropy. 43 gets us to 256, which is common in symmetric key encryption.

At the end of the day, 32 vs 43 feels completely arbitrary and probably sufficient, but 43 feels like "random" than "32" in the fact it lines up with 256bit. 🤷‍♂️

I don't think 43 looks too bad. That's just my 2c.

43 characters long

RrMe58fCjqyf7A8uRivKq3hQDcC3y5N5rnUWSRz5QA1KH5y6hAUAJjymG8Xrjia4NY3yz3crenkmuEkT4T3N3TEiuE7aDvUZyG1TqAtiikKR5rW6WkmG2RuEjCLXi3z2B0ZRpbhZibWFfdDjRbb6fQzqy7baCBq2JQFKjDeA

32

VB3StT1Uj0CvP6LX2iMzX3eDACKPEBzFjaDjJSPNLygpKLUELrUU5m5fuNbTfvV73QvMTSuRLwn7x0hbX4YJQKf2GMcL3TA5G6LkDZdw1rumSZuLyMLGUYi15hvR38jA

64

qySKB6Zi6XLmahApVJLM5GMYP9TGy6BEyCYUC7KbVH0AE5h07W0eWg2Cqmjw7gCFpSngALfmYcVmMETAAcntnp2bzZkRC90pYRa2fC5MmvHMuQHZ7hwg5eGMnWfnbCUut5gFjyTD3iy8J9emR6B7TSCwCYrcwJGLQXBw4zPMM0AS9E89DMXy4bK4V4FtJ1qwv4C06YWqALYBpMScm7AuVYwzun0iEb5iCpQyg2fEWgfreNL2W6itRfzeS1cic1XY537TcRdc3McvbTKtN4uZRfRp68hrnYJieHHtJp4d9tNWbFFxvrECv0umzig7UUk9

43 it is 😄