What’s the advantage of doing that that you’re thinking of?

Storing the secrets in the OS' credentials store is supposed to be safer than storing them in .Renviron.

I too noticed keyring is not in the httr2 docs, whereas httr has this vignette: Managing secrets.

Interested in this discussion as e.g. qualtRics wraps an API and depends on the user having secrets stored in .Renviron.

Hmmm, I guess since I wrote that httr vignette I'm no longer sure that the keyring is that much more secure. I think it's theoretically more secure, but in practice it's unlikely to make much difference because for an attacker to have access to your .Renviron then that implies they have access to your computer, and are thus can already access your OS keychain.

OTOH maybe people are using project specific .Renviron files which are much more dangerous because they're more likely to end up accidentally committed into git?

Right, maybe it just feels more secure but your point about git seems important.

More niche and less important:

• I like that the OS keychain really feels more different from writing a secret in a script (compared to .Renviron vs secret in script, in both cases you write things in clear in a file which seems to be a bad habit like having a docx with all your passwords).
• I know screen-sharing Renviron by mistake is not a big risk but I also like that this couldn't happen with the OS keychain.

Hmmmm, this all feels like it should maybe be a separate vignette that's env vars vs keychain, but then httr2 doesn't feel like quite the right place for it. Maybe it would be better as a keyring vignette?

but how would httr2 users even think of reading keyring docs, could there be a pointer, even small? 🙂

Right, we'd point to it everywhere we mention env vars.

I updated the keyring readme: https://keyring.r-lib.org/dev/. Do you think that's sufficient for selling it as an alternative to env vars or do I need to write more?

Nice, thank you! I added comments in r-lib/keyring#139 😸

I think this requires more than just a change to the docs: for it to be a useful (and meaningfully more secure workflow), secret_encrypt() and friends need to know to look in the keychain. I think that's probably still worth doing, but I won't get to it in this release.