| ▲ | ramchip 2 days ago | |||||||
The purpose of the checksum is to help secret scanners avoid false positives, not to optimize the (extremely rare) case where an API key has a typo | ||||||||
| ▲ | matja 2 days ago | parent | next [-] | |||||||
I suppose there could be two checksums, or two hashes: the public spec that can be used by API key scanners on the client side to detect leaks, and an internal hash with a secret nonce that is used to validate that the API key is potentially valid before needing to look it up in the database. That lets clients detect leaks, but malicious clients cant generate lots of valid-looking keys to spam your API endpoint and generate database load for just looking up API keys. | ||||||||
| ||||||||
| ▲ | vjay15 2 days ago | parent | prev [-] | |||||||
thank you so much ram chip :) I didnt know that! | ||||||||