From ca37ada9e25ace41b6475c0cf0d90ff581ce2c41 Mon Sep 17 00:00:00 2001
From: Hubert Chathi <hubert@uhoreg.ca>
Date: Tue, 27 Apr 2021 22:04:35 -0400
Subject: [PATCH] Document Single SSSS.

---
 content/client-server-api/modules/secrets.md | 24 +++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/content/client-server-api/modules/secrets.md b/content/client-server-api/modules/secrets.md
index b4ae8c02..897ea196 100644
--- a/content/client-server-api/modules/secrets.md
+++ b/content/client-server-api/modules/secrets.md
@@ -42,7 +42,7 @@ passphrases](#deriving-keys-from-passphrases).
 
 | Parameter  | Type      | Description
 |------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------|
-| name       | string    | **Required.** The name of the key.                                                                                                  |
+| name       | string    | Optional. The name of the key. If not given, the client may use a generic name such as "Unnamed key", or "Default key" if the key is marked as the default key (see below). |
 | algorithm  | string    | **Required.** The encryption algorithm to be used for this key. Currently, only `m.secret_storage.v1.aes-hmac-sha2` is supported.   |
 | passphrase | string    | See [deriving keys from passphrases](#deriving-keys-from-passphrases) section for a description of this property.                   |
 
@@ -56,6 +56,18 @@ will be used to encrypt all secrets that the user would expect to be
 available on all their clients. Unless the user specifies otherwise,
 clients will try to use the default key to decrypt secrets.
 
+Clients that want to present a simplified interface to users by not supporting
+multiple keys should use the default key if one is specified. If not default
+key is specified, the client may behave as if there is no key is present at
+all. When such a client creates a key, it should mark that key as being the
+default key.
+
+`DefaultKey`
+
+| Parameter  | Type      | Description
+|------------|-----------|------------------------------------------|
+| key        | string    | **Required.** The ID of the default key. |
+
 ##### Secret storage
 
 Encrypted data is stored in the user's account\_data using the event
@@ -118,6 +130,16 @@ and the key descriptions for the keys would be:
 }
 ```
 
+If `key_id_1` is the default key, then we also have:
+
+`m.secret_storage.default_key`:
+
+```
+{
+  "key": "key_id_1"
+}
+```
+
 ###### `m.secret_storage.v1.aes-hmac-sha2`
 
 Secrets encrypted using the `m.secret_storage.v1.aes-hmac-sha2`