If you read this post https://hive.blog/hive-181335/@awbvious/why-does-3speak-need-an-active-key , I was wondering why Threespeak needed my active key. It was not clear at all. I have since had a few more conversations with support.
TLDR: You need active key to give posting authority to a Dapp, which is not the same as using a posting key to post. Further, support says the active key never leaves the browser. Nonetheless, go to https://hivesigner.com/authorize/threespeak , authorize there, and you never have to put it in 3speak.online . If you want to revoke the authority go to https://hivesigner.com/revoke/threespeak . Alternatively, use PeakD to maintain all your authorities here https://peakd.com/@[username]/permissions (enter your username instead of [username]). But to use PeakD, you'll have to give posting authority to both PeakD and threespeak that way.
So, here's what I received from support on June 30, 2020:
Posting Authority can only be granted using the active key. Active Authority (which 3speak does not use) can only be granted using the owner key.
I wrote back the same day, June 30, 2020:
I think I know why you are saying "Posting Authority can only be granted using the active key" : https://esteem.app/@good-karma/steem-multi-authority-permissions-and-how-posting-authority-works-2017529t84022790z
You are referring to a process whereby I could use my active key to give permission to another app (namely you) to post on my behalf, rather than when apps (like hive.blog) simply ask for the posting key. (According to this link, in case of disputes giving the posting key could go badly.)
What's notable about this article is it does not require the app (in this case 3speak) to ever need to actually receive the active key. Further, what happens with this process once keys are changed via the owner key? Does this permission disappear? I'd need to know that (especially since I might want to do that so you don't have my current, active key--though I don't like the idea of you having one at any time). I'd much prefer being able to manage this sharing of permissions myself from my wallet (e.g. another tab of wallet.hive.blog) and at no point actually give you my active key. Actually giving you the key seems both unnecessary and contrary to the concept of multi authority permissions. And/or are you disputing this line of text from wallet.hive.blog that says "anyone with access to this [active] key can take your tokens"?
Please respond with more than two sentences. I have many questions that I feel you are not answering directly in all these emails. I would appreciate you answering each question, from all these emails, directly.
Thanks.
They wrote back the same day, June 30, 2020:
your account has 7 different authorities. owner, active and posting each can have key and account authorities. while the memo authority only has one key auth.
To be able to use 3speak you need to grant posting authority to the account "threespeak" how you do it is up to you. the easiest way is using our website. you can change each type of authority individually. that means you can change owner authority without touching active or posting authority. you can even have different seeds for each authority. you can add and remove authorities as you wish at any time. but you wont be able to use 3speak without granting posting authority to "threespeak". The key that you enter also never leaves your browser. It is converted to a public key then checked if its the right one by comparing the public key generated from the key you entered with the one stored on the blockchain. If the key is correct it is used to sign a string message. Only the signed message (which only contains random characters) is send to our server where we validate the signature. If the validation is successfull the platform grants you access to the hive account you authorized. Granting any type of authority will always require you to somewhere enter you active key. No matter if it is your wallet or 3speak.online.
Obviously, once they said that the key never leaves the browser, I was more comfortable with putting it into 3speak.online. Nonetheless, since they said other methods were available, I did some research and found other methods.
I wrote to them just now, July 2, 2020:
You may be right about the active key never leaving your browser during the threespeak account creation process; nonetheless, I have found two ways that only require giving your Active key to Hivesigner.
1. Use https://hivesigner.com/authorize/threespeak . Go directly to that URL. Click continue. (If you are already logged into Hivesigner, you may need to click "Import Account".) Then put in username and active key. Thus, I need to give my active key only to hivesigner. If I want to remove the access, I have to go to https://hivesigner.com/revoke/threespeak . However, Hivesigner does not give you a dashboard of all your authorized posting authorities. So it would seem I'd have to always remember when I give authority if I want to revoke it and I only use option 1.
2. Use Peakd. That gives you a dashboard and a way to manage all your posting authorities, but it requires giving posting authority to two Dapps, instead of just one. Go to peakd.com and login with hivesigner, then follow steps in 1 to use active key to give posting authority to peakd.com . Then you can go to https://peakd.com/@[username]/permissions . Click "Grant Authority" enter "threespeak". It will send you to hivesigner again, then follow steps in 1 again.
Both options are better, if you ask me, as neither require putting your active key in any Dapp directly. In both cases, you only give the active key to hivesigner. In the second option, it's arguably less secure as now two Dapps have posting authority, but having the visibility of all Dapps with posting authority is perhaps worth the tradeoff. I suggest that in your account creation process, you give the user the option to go to https://hivesigner.com/authorize/threespeak or enter the Active key directly into 3speak.online. And in your FAQ you explain that while a Posting key is indeed all one needs when posting on some Dapps (e.g. when on hive.blog), it then requires giving the posting key directly to the Dapp. To authorize posting ability to another Dapp (e.g. when using threespeak or Peakd) you need to use your Active key, but at least in that case you do not have to ever directly give the Dapp the Active key to accomplish the task.
Of course, now that I know one Dapp uses directly giving the posting key for posting ability, but two Dapps use indirectly giving the active key to give posting ability... I'm wondering who, if anyone, is doing it the "right" way.
Thanks.
As you can see, I'm still left wondering why hive.blog (which I am using right now) uses the posting key directly and why threespeak use the active key indirectly, and if one of them is doing it "wrong." Nonetheless, I'm satisfied now that I know I do not have to give 3speak my active key directly.