API Key Authentication Best Practices (opens in new tab)

(zuplo.com)

38 pointsnathantotten3y ago6 comments

6 comments

The checksum validation was something I hadn't come across before. Interesting way to minimize the load on the API key store.

molmorg3y ago

Yeah, some folks might consider going further and use hashes that salted or one-way encrypted via key so that nobody else can recreate the checksum. Some performance tradeoffs but can prevent some other vectors like cache-filling etc.

ChaosMuppet3y ago

With regards to secret scanning, a shout-out to the "secret-token" URI scheme https://datatracker.ietf.org/doc/html/rfc8959

Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).

devCreek3y ago

Regarding retrievable vs. irretrievable, I think is a matter of who do you delegate the ownership of the security. Using Irretrievable, you are transferring that to your users, which in a lot of scenarios just store them in plain text in non secure places.

I think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.

DataOverload3y ago

Never thought of it that way, and honestly this is so correct. Some of my PATs are stored in Apple Notes because I need them every so often. I guess I could use something like 1Password to store them securely but it's just another transfer of ownership and trust.

molmorg3y ago

Author of the article here - look forward to any discussion here. Curious how many folks have already implemented something like this themselves... did you make different decisions?

j / k navigate · click thread line to collapse

6 comments

sghosh23y ago

The checksum validation was something I hadn't come across before. Interesting way to minimize the load on the API key store.

molmorg3y ago

ChaosMuppet3y ago

With regards to secret scanning, a shout-out to the "secret-token" URI scheme https://datatracker.ietf.org/doc/html/rfc8959

Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).

devCreek3y ago

I think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.

DataOverload3y ago

molmorg3y ago

Author of the article here - look forward to any discussion here. Curious how many folks have already implemented something like this themselves... did you make different decisions?

j / k navigate · click thread line to collapse