alt Hacker NewsYou don't need any encryption or signing for API keys. Using JWTs is probably more dangerous here, and more annoying for people using the API since you now have to handle refreshing tokens.
Plain old API keys are straightforward to implement. Create a long random string and save it in the DB. When someone connects to the API, check if the API key is in your DB and use that to authenticate them. That's it.
Replies
iamflimflam1 • today at 7:35 AM
I would add the capability to be able to seamlessly rotate keys.
But otherwise, yes, for love of everything holy - keep it simple.
sabageti • today at 8:44 AM
We don't store it, in plain text right, store them hashed as always.
> Plain old API keys are straightforward to implement
This is pretty much just plain-old-api-keys, at least as far as the auth mechanism is concerned.
The prefix slug and the checksum are just there so your vulnerability scanner can find and revoke all the keys folks accidentally commit to github.