Should you hash an API key?

Should you hash an API key?

Secure API Key Storage The reason we need to store API keys is to make sure that the API key in the request is valid and issued by us (just like a password). A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it’s all safe.

Should API keys be treated like passwords?

Technically, API keys should be treated like passwords, because if someone has your API key, they could potentially perform operations without your permission. If you accidentally push your API key, you’ll need to fully delete it from your history using something like bfg, or other people will be able to see it.

How long does an API key last?

By default, the API key lifetime is set to 0, which means that the keys will never expire. To ensure that your keys are frequently rotated and each key is unique when regenerated, you must specify a validity period that ranges between 1—525600 minutes.

What does it mean to have a hashed API key?

A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it’s all safe. The end user would send the raw API key in each API request, and we can validate it by hashing the API key in the request and compare the hashed key with the hash stored within our database.

Why do we need to store an API key?

Since the API key provides direct access to data, it’s pretty much like a password that a user of a web or mobile app provides to gain access to the same data. Think about it. The reason we need to store API keys is to make sure that the API key in the request is valid and issued by us (just like a password).

How is an API key like a password?

Since the API key provides direct access to data, it’s pretty much like a password that a user of a web or mobile app provides to gain access to the same data. Think about it.

What kind of authentication do you need for an API?

You might have built or are thinking of building APIs for other developers to use. An API needs some form of authentication to provide authorised access to the data it returns. There are several authentication standards available today such as API Keys, OAuth, JWT, etc.