Email address + GitHub API = public SSH key

We're building our user signup flow which does something awesome, but unexpected, so this serves as a short explanation to link to.

After verifying their email with Resin.io, some of our users will see a "get from GitHub" link under the public key textarea.

Clicking that link gets the SSH key automatically filled in by our system, without further user action. While it may be unusual, there's nothing nefarious involved. In fact, anyone can do it, and that's all right.

GitHub allows retreiving a user's account name by searching with their email:

https://api.github.com/search/users?q=<email here>

When you have a username, you can retrieve the public key(s):


In fact, GitHub serves the Access-Control-Allow-Origin:* header, which means we can do these requests directly on the user's browser without involving our server.

While it may seem odd that your public key is filled automatically when using the same email on resin.io that you've used on GitHub, it's important to remember that a public key is meant to be public.

We hope to see public key cryptography used in more and more places, so we're happy that GitHub has effectively become a public key repository offerring lookup via email.

As a use case, Resin.io is a perfect fit, since the public SSH key is the trickiest part of our signup process, and most our users already have a GitHub account. If anything, we're hoping to see this pattern normalised in users' expectation and used more widely.

Any questions? or you'd just like to say hi, come find us on our community chat.

comments powered by Disqus