# `Attesto.Secret`
[🔗](https://github.com/XukuLLC/attesto/blob/v0.13.0/lib/attesto/secret.ex#L1)

Generate and hash the opaque secrets that back stateful grants.

Authorization codes and refresh tokens are high-entropy random strings
handed to a client once. The server never needs the plaintext again, so
it persists only a hash: a leaked code/refresh store then yields no
usable credentials. This module is the single place that generates such
secrets and computes their lookup hash.

  * `generate/1` returns a fresh base64url-no-pad secret with the given
    entropy (default 32 bytes = 256 bits).
  * `hash/1` returns the SHA-256 base64url-no-pad digest used as the
    storage key. Lookups hash the presented secret and compare, so the
    store is keyed by `hash/1` output, never by plaintext.

Comparisons against a stored value should go through
`Attesto.SecureCompare` to stay constant-time.

# `generate`

```elixir
@spec generate(pos_integer()) :: String.t()
```

Generate a fresh random secret as a base64url-no-pad string with
`bytes` of entropy (default 32).

# `hash`

```elixir
@spec hash(String.t()) :: String.t()
```

The SHA-256 base64url-no-pad hash of `secret`, used as its storage key.

---

*Consult [api-reference.md](api-reference.md) for complete listing*