Secrets digest algorithm


When querying for secrets with the API, the user cannot see the plain-text value, only a digest.

Is the digest algorithm public so users can determine if a secret changed without updating it and seeing if the digest changes?

A side question: If I update a secret with the same value, will that trigger a deploy?


1 Like

Yes! That’s exactly what the digest is for. It’s also for us to determine if a secret changes.

If you update a secret with the same value, it’s a noop. We detect that and don’t restart the VMs.

I now realize I did not express myself correctly. My question was:

Is the algorithm to compute the digest public, so that I can compute it on my side, and avoid doing the request to update a secret to the same value.

Although if it is a noop there is less value in doing so.

Ah, yes. It’s just an md5, this is the exact Ruby we use:

digest = Digest::MD5.hexdigest(val)

You are free to compute your own digests. This is something that could change in the future, though I don’t know why we would.

Thanks a lot!