Limiting the use scope of our secrets in Latch with “Limited Secrets”

When creating a Latch app as a developer, Latch provides us with an application identifier (appId) and a secret.

These two keys allow us to sign the requests sent to the API, in order to ensure that we are the legitimate owners of that app.

Example of app ID and secret in an application.

However, there are multiple scenarios where that secret can be compromised by a third party: desktop applications, mobile apps, etc.

In these scenarios, a compromised secret could allow a potential attacker to perform API operations not wanted by the developer. To prevent this and to be able to continue offering Latch functionalities in these scenarios, “Limited Secrets” are born.

For each app, a maximum of 3 secrets with a limited scope can be created from the settings of the app itself. These secrets are used in the same way as the master secret, but can only be used to sign those requests for which they have been configured.

Limited secrets may contain one or more of the following permissions:

• Status: It allows the performance of status calls to the API in order to find out the status of a Latch.
• Pairing: It allows the use of a user’s pairing and unpairing calls.
• Support: It allows the use of API support calls to lock and unlock “latches”.
• History: It displays the action history of a service.
• Operations: It provides access to perform operation management calls. This management makes it possible to create, edit, query and delete operations.
• Instances: It provides access to perform instance management calls. This management makes it possible to create, edit, query and delete instances. The ‘STATUS’ permission is used to check the status of an instance, and the ‘SUPPORT’ permission is used to modify that status.

Example of secret, only with “Status” and “Pairings” permissions.

So if we have a software component that we want to distribute, that includes the Latch functionality and that will only perform Pairing/Unpairing actions or check the status of a Latch, we can distribute a Limited Secret with permissions for these functionalities only.

It is worth mentioning that even if secrets are distributed with these permissions, in order to make calls such as unpairing a user or knowing the status of their Latch, we would need another additional factor: their “Account ID” with Latch.

Therefore, we encourage you to use this type of secrets whenever you carry out integrations in software components that are to be distributed and that can be easily compromised. Do not hesitate to visit our community if you have any problem while using them.