The active key is needed to grant posting authority. The best way to do this is by signing a transaction locally on your browser so that your keys never leave your device.
The best way to do this is by using Hivesigner or Hive keychain. It is not a best practice to input the active key directly on the website. If 3speak is doing this it doesn't mean that they keep the active key (if the operation is done locally on your browser) but it is a security risk if the website is compromised.
Once the posting authority is granted by signing the operation with the active key it is no longer needed to interact with the app or website.
Does 3Speak use Hivesigner or Keychain?
If that's the case, why are some people only being asked for their posting key, and not their active key?
No, 3Speak does not use Hivesigner or Keychain.
Maybe some users already granted posting authority with their active key before and the website doesn't need that anymore. But I am just speculating.
Okay. I guess it's not as unusual as I thought.
I can see in the code on the site that they test a signed message to check the active key
let signed_message = sign(res.challenge, $('#wif_2_5').val(), account, 'active')
So it seems to be fine.
I thought I understood the permissions of the posting and active keys, but I was mistaken. Thank you for your help.