alt Hacker NewsWhile it's true that API keys are basically prefix + base32Encode(ID + secret), you will want a few more things to make secure API keys: at least versioning and hashing metadata to avoid confused deputy attacks.
Here is a detailed write-up on how to implement production API keys: https://kerkour.com/api-keys
Replies
vjay15 • today at 9:10 AM
Thank you! I will definitely look into it!
I don’t understand your explanation on mitigating the confused deputy. If the attacker has access to the database, can’t they just read the IDs for the target row they are overriding first so they can generate the correct hash?