When creating an app the private key must be saved/displayed

[sammachin]

When I create an app the API responds with a private key, this is the only time that key is sent from Nexmo and can't be recorvered therefore it should be saved to a local file called something like [appid].key and a big red warning message displayed to the developer.

[cbetta]

I intentionally left this out for now as there's some issues we need to discuss.

In your initial spec you suggested saving it in a hidden folder in the user root. This seems unexpected and dangerous for a user! They might not understand that they have the private keys in the location and either leave themselves open to a security problem, or they might accidentally delete them.

Some questions:

• What are these keys for exactly? As in, when would the user need them, and therefore what's the best place to put these keys based on that?
• Does the CLI ever need these keys? If not then saving them with the user API credentials seems odd.

I propose we:

• Warn the user clearly that this is the only time they get the private key
• We either don't save the key (it's in the response, though we should add it to the non-verbose response) or we do save it but we do so in the right place based on the answers to the questions above.

[sammachin]

The keys are/will be used to generate JWTs to sign requests for a given app.

Eventually we will support account level keys on things like the developer API thats the only time i can see the CLI needing them, but at that point I think it would be a change to the nexmo setup flow.

Yeah I agree that putting them in a hidden folder is probabbly bad, the only platform I can think of that give users keys right now is AWS, IIRC they display the key on the page and give you an option to save, I propose this: When an app is created the key is always displayed (even on verbose) unless the user has specifid a --key option with a filename to save to eg: nexmo app:create "My Lovely App" http://example.com http://example.com --keyfile ./private.key

[cbetta]

Sounds good to me! Let's see if I can actually make the warning in RED as well.