I'm running VSCode with the following extensions and config ``` code-runner v0.9.3 code-settings-sync v2.9.2 erb v0.0.1 githistory v0.4.1 gitlens v8.3.3 gruvbox-themes v1.0.0 Ruby v0.18.0 ruby-rubocop v0.7.0 solargraph v0.17.4 sublime-keybindings v4.0.0 vscode-icons v7.23.0``` ```{ "vsicons.dontShowNewVersionMessage": true, "workbench.colorTheme": "Gruvbox Dark (Medium)", "editor.tabSize": 2, "workbench.iconTheme": "vscode-icons", "window.zoomLevel": 0, "sublimeTextKeymap.promptV3Features": true, "editor.multiCursorModifier": "ctrlCmd", "editor.snippetSuggestions": "top", "editor.formatOnPaste": true, "sync.gist": "GISTIDHERE", "sync.lastUpload": "2018-05-03T02:12:41.998Z", "sync.autoDownload": false, "sync.autoUpload": false, "sync.lastDownload": "2018-05-11T13:58:20.284Z", "sync.forceDownload": false, "sync.anonymousGist": false, "sync.host": "", "sync.pathPrefix": "", "sync.quietSync": false, "sync.askGistName": false, "workbench.activityBar.visible": true, "explorer.confirmDelete": false, "explorer.confirmDragAndDrop": false, "extensions.ignoreRecommendations": false, "gitlens.advanced.messages": { "suppressCommitHasNoPreviousCommitWarning": true, "suppressCommitNotFoundWarning": true, "suppressFileNotUnderSourceControlWarning": true, "suppressGitVersionWarning": true, "suppressLineUncommittedWarning": true, "suppressNoRepositoryWarning": true, "suppressResultsExplorerNotice": false, "suppressShowKeyBindingsNotice": true, "suppressUpdateNotice": false, "suppressWelcomeNotice": true }, "files.associations": { "*.html.erb": "erb" }, "sync.removeExtensions": true, "sync.syncExtensions": true, "gitlens.keymap": "chorded", "gitlens.historyExplorer.enabled": true, "workbench.startupEditor": "newUntitledFile" }```

In this situation, the developers must have access to the master key which would expose production secrets to more people than necessary. This of course depends on the layout of the R&D team. If it is a solo developer working on a personal project then the exposure is obviously limited. However, in a larger setting, often the developers will not have access nor the secrets to the production environment.

I have been considering to do something like this even though it is outside of the scope of Ruby. What are peoples' thoughts? Android or iOS example?

very good point

See if this episode helps out. It uses `devise` and the `knock` gem for JWT authentication. https://www.driftingruby.com/episodes/rails-api-authentication-with-jwt