diff --git a/API.md b/API.md index d0a2ded3..e9b1bb8f 100644 --- a/API.md +++ b/API.md @@ -97,11 +97,11 @@ register_provider: (RegisterProvider) -> (); The `RegisterProvider` record defines the details about the service to register, including the API key for the service. * `chain_id`: The id of the Ethereum chain this provider allows to connect to. The ids refer to the chain ids as defined for EVM-compatible blockchains, see, e.g., [ChainList](https://chainlist.org/?testnets=true). * `base_url`: The URLs of the Web2 service provider that is used by the canister when using this provider. -* `credential_path`: A path containing API key for authorizing requests to this service provider. This part of the path is private to the entity registering it and the canister. It is not exposed in the response of the `get_providers` method. The URL used to access the service is constructed by concatenating the `base_url` and the `credential_path` (without a seperator), e.g., `"https://cloudflare-eth.com"` and `"/my-api-key"`. +* `credential_path`: A path containing API key for authorizing requests to this service provider. This part of the path is private to the entity registering it and the canister. It is not exposed in the response of the `get_providers` method. The URL used to access the service is constructed by concatenating the `base_url` and the `credential_path` (without a separator), e.g., `"https://cloudflare-eth.com"` and `"/my-api-key"`. * `cycles_per_call`: Cycles charged per call by the canister in addition to the base charges when using this provider. * `cycles_per_message_byte`: Cycles charged per payload byte by the canister in addition to the base charges when using this provider. -The cycles charged can, for example, be used by the entity providing the API key to amortize the API key costs in the case of commercial API keys. A provider record can be removed by its owner principal or a pricipal with administrative permissions. +The cycles charged can, for example, be used by the entity providing the API key to amortize the API key costs in the case of commercial API keys. A provider record can be removed by its owner principal or a principal with administrative permissions. ### `unregister_provider` diff --git a/DeepDive.md b/DeepDive.md index fac90327..5dc35fe2 100644 --- a/DeepDive.md +++ b/DeepDive.md @@ -24,7 +24,7 @@ The API of the canister is specified through a [Candid interface specification]( ### API Keys are stored in the canister -Registered API keys are available to IC nodes in plaintext. While the canister memory is not exposed generallly to users, it is available to node providers and to canister controllers. In the future features such as SEV-SNP will enable privacy of canister memory, but until we have those features the API keys should not be considered to be entirely safe from leakage and potential misuse. API key providers should limit the scope of their API keys and monitor usage to detect any misuse. +Registered API keys are available to IC nodes in plaintext. While the canister memory is not exposed generally to users, it is available to node providers and to canister controllers. In the future features such as SEV-SNP will enable privacy of canister memory, but until we have those features the API keys should not be considered to be entirely safe from leakage and potential misuse. API key providers should limit the scope of their API keys and monitor usage to detect any misuse. ### Registered API providers should be aware that each API call will result in one service provider call per node in the subnet and that costs (and payment) is scaled accordingly @@ -36,7 +36,7 @@ This canister takes pre-signed transactions e.g. for `eth_sendRawTransaction` an ### JSON is not validated -This canister does not validate the JSON passed to the ETH service. Registered API key providers should be aware of this in case the back end service is vulnerable to a bad JSON request body. Registered API providers should be aware that there are methods in the Ethereum RPC API specification which give access to the ETH node keys. Public service providers tend to block these, but registered API providers should ensure that they are not giving access to private keys or other proviledged operations. +This canister does not validate the JSON passed to the ETH service. Registered API key providers should be aware of this in case the back end service is vulnerable to a bad JSON request body. Registered API providers should be aware that there are methods in the Ethereum RPC API specification which give access to the ETH node keys. Public service providers tend to block these, but registered API providers should ensure that they are not giving access to private keys or other privileged operations. ### Requests sent to service providers are subject to the service provider's privacy policy