Edit: I made a key mistake writing this post, misunderstanding the role of the active key. Apps do need the active key to grant posting authority, and it's quite normal for 3Speak to ask for it.
I was curious to try out the new video hosting platform on Hive, @threespeak. I signed up by email and then tried to connect my Hive account.
Then something unusual happened.
On the post explaining 3Speak's log-in system, it says that 3Speak will ask for my posting authority, my private posting key:
That makes sense. If I want to post on the site, I would use my posting key to grant the permission to post.
What actually happened was, they said they needed the posting authority, and then asked for my "private active key":
I entered my private posting key, thinking maybe somehow they'd worded it wrong. The "Next" button seemed to do nothing.
What are the keys for?
This is what the posting and active keys do, according to the Hive FAQ:
Posting key - The posting key allows accounts to post, comment, edit, vote, reblog, and follow or mute other accounts. Most users should be logging into Hive every day with the posting key. You are more likely to have your password or key compromised the more you use it so a limited posting key exists to restrict the damage that a compromised account key would cause.
Active key - The active key is meant for more sensitive tasks such as transferring funds, power up/down transactions, converting Hive Dollars, voting for witnesses, updating profile details and avatar, and placing a market order.
In general, you don't want to give your private active key to anyone at all, as that would give them access to the funds in your account. The private posting key is sufficient for posting.
I sent a few emails to 3Speak support.
Ask for help
At first I asked why the "Next" button didn't seem to do anything. They said to double-check my keys to make sure they were entered correctly.
When I asked for clarification about the keys, they told me the active key was required for posting authority.
That goes against what it says on the Hive FAQ, and my own experience of what permissions are required to post, and it even goes against what 3Speak has written on their post explaining the log-in system.
I replied to the email asking for further clarification. At time of posting, I haven't received a response.
Other cases
On the same post about logging in, some commenters @dreamrafa and @wakkylyon said they were also asked for private active keys:
And others such as @rezoanulvibes were asked for private posting keys:
With varying levels of success, as we see here in a comment from @kodeblaccc:
A question of consistency
It seems clear that 3Speak has some technical errors, which happens some times with new projects. It doesn't seem that they're actively looking to solve the problems relating to logging in. They didn't respond to most comments on their post asking about those problems.
The stranger thing is that in some cases they ask for posting keys, and in others they ask for active keys. I can't imagine a legitimate reason for doing this, but I can imagine some illegitimate ones.
To ask for private active keys is to ask for access to the funds in someone's Hive account, to power up, power down, and transfer hive and hive dollars. There is no clear reason a video platform on Hive would ask for that, and their email response made things more unclear.
If a site were to allow some people to enter with just the posting keys, it would give the face of an earnest project, as people would keep posting videos on the site.
If a site were to collect people's private active keys and appear to have an error when they were entered, they might, at some later date, access all of the funds in those accounts. In that event, it might not be clear who the bad actors were.
Upshot
If you have entered your private active keys into 3Speak, whether it accepted them or not, it might be a good time to change your Hive master password - of course backing it up and writing it down so you have many copies. This will also change your private active key and other keys, and it means that anyone who had your active key will now not be able to access your funds.
It would be great to have all of this made clear by the developers of 3Speak, to hear why they are asking some people for active keys, and others only for posting keys, and what they intend to do to improve this in the future.