TL;DR: If BraveServiceKey
is not a secret, can I hard-code a default value in open source Brave repos? Or, if BraveServiceKey
is a secret, how should contributors to Brave projects handle it?
Why BraveServiceKey
Matters to Contributors
Some *.brave.com
domains require that requests include a valid braveservicekey
header. Unsurprisingly, some of those domains are used by code (e.g., tests) in various open-source Brave repos. At the same time, there’s no default value or instructions that I could find for how contributors should manage this key.
Further Confusion
At least one repo treats BRAVE_SERVICE_KEY
as a “secret,” which puts me in a weird spot for a couple of reasons.
-
It’s… not a secret? A valid value for the key is shown in the original GitHub issue, and I know it’s valid because my Brave browser sends the same key.
-
As a would-be contributor, one interpretation of it being a “secret” is that I shouldn’t be hitting those endpoints, which is awkward considering that my browser hits those endpoints already.
Prior Work
There’s a similar question on Reddit that didn’t get an answer, so I figured I’d try this site instead.
Update, November 1
I’m adding an update with some minor edits to hopefully prevent the issue from auto-closing.