-
Type: Bug
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Charts
-
Labels:None
Description
On a page about creating Embedded Charts: (https://docs.mongodb.com/charts/onprem/data-sources/#enable-or-disable-embedding)
Verified Signature only. This option requires embedded charts to include a secret embedding key with each request sent to the data source.
I found this confusing, because if the client (the web browser) were sending the key, then the user would also be able to see the key, so it wouldn't be a secret.
The linked page cleared it up for me: (https://docs.mongodb.com/charts/onprem/embedding-charts/#embedding-charts)
The verified signature creates a payload by generating a HMAC from your embedding key, a timestamp, and identifying data from your chart.
This makes more sense to me: the key stays secret, and stays on the server. Because only the server knows the key, nobody else can create a signature.
So on that first page, I think "secret embedding key" should say "signature".