alt Hacker NewsI don't understand the need for this level of engineering. It appears we are going for an opaque bearer token here. The checksum is pointless because an entire 512 bit token still fits in an x86 cache line. Comparing the whole sequence won't show up in any profiler session you will ever care about.
If you want aspects of the token to be inspectable by intermediaries, then you want json web tokens or a similar technology. You do not want to conflate these ideas. JWTs would solve the stated database concern. All you need to store in a JWT scheme are the private/public keys. Explicit tracking of the session is not required.
Replies
> The checksum is pointless because an entire 512 bit token still fits in an x86 cache line
I suppose it’s there to avoid round-trip to the DB. Most of us just need to host the DB on the same machine instead, but given sharding is involved, I assume the product is big enough this is undesirable.
Hello bob! the checksum is for secret scanning offline and also for rejecting api keys which might have a typo (niche case)
I just was confused regarding the JWT approach, since from the research I did I saw that it's supposed to be a unique string and thats it!
JWTs solve some problems but then come with a lot of their own. I do not think they should be the goto solution.