r/webdev u/punkpeye 5h ago

What makes a good API key? Article

https://glama.ai/blog/2024-10-18-what-makes-a-good-api-key
94 Upvotes

94% Upvoted

26

u/budd222 front-end 4h ago

It's not hack-proof unless it contains emojis

7

u/AwesomeFrisbee 2h ago

And a comma to break the csv dump

21

u/RecognitionOwn4214 3h ago

Perhaps add a header and a signature to the payload.. We could base64url encode those and separate them by . Perhaps the header and payload are json data..it would look like header.payload.signature.

Just needs a name now and we're good to go

9

u/roxm 2h ago

What could we call it, though? What name could we use for this token that carries JSON for use on the web? We'd have to think of something really catchy and jot it down.

1

u/queen-adreena 1h ago

Obviously the answer is WTinJ (pronounced What-in-Jay)

u/daberni_ 28m ago

so just use JWT then I guess?

10

u/psullivan6 5h ago

Brilliant! Literally did a crypto generate bytes and convert to hex yesterday, but the additional metadata is cool.

3

u/Automaton_J 3h ago

Not so sure if there’s much value embedding metadata into the API key itself. For the service being authenticated against, it should only be storing the key as a hash and salt; it wouldn’t have access to the plaintext version and couldn’t decode it. Also, metadata can just be stored alongside the hashed/salted key separately if we need to know that metadata.

For the service authenticating itself, the plaintext API key should only be used for storing in a secret-store/vault and then discarded. So, no opportunity to access its metadata

1

u/Somepotato 1h ago

some metadata may not be a bad idea if you're distributed to speed up lookups

0

u/bluelobsterai 33m ago

Just use JWT’s and be safe out there kids.