Hide secondary key in the profile details

[CER-ChrisA]

Our business stakeholders would like to have the secondary key hidden from vie in the developer portal. Is this easily achieved?

[ghost]

@CER-ChrisA, thank you for opening this issue. We will triage it within the next few business days.

[mikebudzynski]

@CER-ChrisA, this scenario isn't currently supported out of the box and isn't on our roadmap. As an immediate workaround:

• You can use the self-hosted portal to modify the behavior of the widget
• You can contribute the change (widget configuration setting to hide the secondary key from the display) as a pull request, so we could incorporate it into the managed portal

[ghost]

@CER-ChrisA, thank you for requesting this feature.

[traviswhipps]

@mikebudzynski, Hi. We are thinking of going with the work-around to contribute the change as a pull request for this feature. As hiding the secondary key needs to be specific to an API, I was thinking of adding a checkbox to the Product Subscribe Form editor widget that will then pass through a boolean to the Subscription component on create that will then hide the secondary key if selected. The secondary key will always show by default.
This will mean that I will need to edit the createSubscription method on productService. Is this a good approach to this feature? Thanks.

[mikebudzynski]

@traviswhipps, on a second thought, changing the developer portal to not display the secondary key isn't sufficient - the key would still be part of the HTTP response, which the logged-in user could inspect using the browser's developer tools. Disabling the access to the secondary key needs to be implemented in the API Management's backend service. We wouldn't be able to accept a PR that just hides the key in the developer portal interface as it may cause a false sense of security to our customers and pose a security risk.

What's the reason for hiding the secondary key?