| ▲ | fabian2k 2 days ago | |||||||
You don't need any encryption or signing for API keys. Using JWTs is probably more dangerous here, and more annoying for people using the API since you now have to handle refreshing tokens. Plain old API keys are straightforward to implement. Create a long random string and save it in the DB. When someone connects to the API, check if the API key is in your DB and use that to authenticate them. That's it. | ||||||||
| ▲ | swiftcoder 2 days ago | parent | next [-] | |||||||
> Plain old API keys are straightforward to implement This is pretty much just plain-old-api-keys, at least as far as the auth mechanism is concerned. The prefix slug and the checksum are just there so your vulnerability scanner can find and revoke all the keys folks accidentally commit to github. | ||||||||
| ||||||||
| ▲ | iamflimflam1 2 days ago | parent | prev | next [-] | |||||||
I would add the capability to be able to seamlessly rotate keys. But otherwise, yes, for love of everything holy - keep it simple. | ||||||||
| ▲ | sabageti 2 days ago | parent | prev [-] | |||||||
We don't store it, in plain text right, store them hashed as always. | ||||||||