Any server keys generated starting today for the Cfx.re platform will have a more defined format, in line with a trend across other services, such as GitHub.
What?
The new format looks a bit like cfxk_1kDPPvLBZmXOUehqU7utw_4PGjtG, as opposed to the old format which looked like 0zgxi7b1df97rght0x1z8sol4q3n2o1z.
To be precise, the format is as follows:
$bytes = /* random bytes */;
$token = sprintf('cfxk_%s', $base62->encode($bytes));
return sprintf('%s_%s', $token, $base62->encode(hash('crc32b', $token, true)));
It should be noted that this means anonymizing the suffix will still lead to a valid key being able to be derived, and therefore you should still avoid sharing any part of your key.
Why?
The new key format makes it more clear to tell an arbitrary string is a Cfx.re license key, and not any other random string. This can be used by auditing tools to prevent keys from being exposed to the public.
What do I need to do?
No action is required for this change. Optionally, you can re-generate keys for any existing server registrations in case you want to benefit from potential security improvements with the new key format via the ‘Regenerate’ button in the key service.
We are not intending to deprecate old keys now or in the near future.
