diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml index 5bd9905..f868e5a 100644 --- a/keymanager-oapi.yaml +++ b/keymanager-oapi.yaml @@ -12,9 +12,12 @@ info: All requests by default send and receive JSON, and as such should have either or both of the "Content-Type: application/json" and "Accept: application/json" headers. - All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel: - - Log the token to stdout when running the binary with the key manager API enabled - - Read the token from a file available to the binary + All sensitive routes MUST be authenticated with a token. + + The key manager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token + of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused + across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this + as an error: either abort the startup, or show the error and continue without exposing the key manager routes. version: "v1.0.0" contact: name: Ethereum Github @@ -63,7 +66,7 @@ components: bearerAuth: type: http scheme: bearer - bearerFormat: URL safe token, optionally JWT + bearerFormat: URL safe, opaque token schemas: Pubkey: