|
| 1 | +# Sensitive fields |
| 2 | + |
| 3 | +Sometimes APIs need to collect sensitive information such as private encryption |
| 4 | +keys meant to be _stored_ by the underlying service but not intended to be |
| 5 | +_read_ after writing due to the sensitive nature of the data. For this type of |
| 6 | +data, extra consideration is required for the representation of the sensitive |
| 7 | +data in API requests and responses. |
| 8 | + |
| 9 | +## Guidance |
| 10 | + |
| 11 | +If the sensitive information is _required_ for the resource as a whole to |
| 12 | +exist, the data **should** be accepted as an [input-only field][input-only] |
| 13 | +with no corresponding output field. Because the sensitive data must be present |
| 14 | +for the resource to exist, users of the API may assume that existence of the |
| 15 | +resource implies storage of the sensitive data. For example: |
| 16 | + |
| 17 | +```typescript |
| 18 | +interface SelfManagedKeypair { |
| 19 | + // The resource name of the keypair. |
| 20 | + name: string; |
| 21 | + |
| 22 | + // The public key data in PEM-encoded form. |
| 23 | + publicKey: Buffer; |
| 24 | + |
| 25 | + // The private key data in PEM-encoded form. |
| 26 | + set privateKey(k: Buffer): void; |
| 27 | +} |
| 28 | +``` |
| 29 | + |
| 30 | +If the sensitive information is _optional_ within the containing resource, an |
| 31 | +[output-only][] boolean field with a postfix of `_set` **should** be used to |
| 32 | +indicate whether or not the sensitive information is present. For example: |
| 33 | + |
| 34 | +```typescript |
| 35 | +interface Integration { |
| 36 | + name: string; |
| 37 | + uri: string; |
| 38 | + |
| 39 | + // A secret to be passed in the `Authorization` header of the webhook. |
| 40 | + set sharedSecret(secret: Buffer): void; |
| 41 | + |
| 42 | + // True if a `shared_secret` has been set for this Integration. |
| 43 | + readonly sharedSecretSet: boolean; |
| 44 | +} |
| 45 | +``` |
| 46 | + |
| 47 | +If it is important to be able to identify the sensitive information without |
| 48 | +allowing it to be read back entirely, a field of the same type with an |
| 49 | +`obfuscated_` prefix **may** be used instead of the boolean `_set` field to |
| 50 | +provide contextual information about the sensitive information. The specific |
| 51 | +nature of the obfuscation is outside the scope of this AIP. For example: |
| 52 | + |
| 53 | +```typescript |
| 54 | +interface AccountRecoverySettings { |
| 55 | + // An email to use for account recovery. |
| 56 | + set email(s: string): void; |
| 57 | + |
| 58 | + // An obfuscated representation of the recovery email. For example, |
| 59 | + // `ada@example.com` might be represented as `a**@e*****e.com`. |
| 60 | + readonly obfuscatedEmail: string; |
| 61 | +} |
| 62 | +``` |
| 63 | + |
| 64 | +[input-only]: /203#input-only |
| 65 | +[output-only]: /203#output-only |
0 commit comments