I only joined to get an API key for SDAI FOSS, an Android GUI/interface, but this site says NEVER share your API key with anyone. Is SDAI FOSS a phishing scam? Should I not input an API key I would be getting for the sole purpose of using the SDAI FOSS GUI/interface?
API keys (tokens) are the children of passwords, so to speak. Even if you leak it to others, they cannot do anything as good as your password.
However, if you leak a read token, it is actually possible to send prank messages to other people’s accounts in the name of your account.
Leaking the write token is even more disastrous, for example, they can upload any number of dangerous files to your account. In the worst case scenario, you will be guilty of a crime under the laws of your country. (I don’t know of any actual cases that go that far, but just in theory.)
In practical terms, if the read token is leaked, well, it is not that scary.
It is safer if you name your read tokens according to their use and destroy or refresh them at an appropriate time.
Also, there is actually a kind feature where the HF side will send a warning if possible and automatically disable the tokens if a leak is actually confirmed. (There are also false positives. That’s how I found out.)