API keys best practices.
Thread ๐งต๐๐ป
Thread ๐งต๐๐ป
An API key is a unique code used to authenticate a user's request.
It is used to identify the source of the data and ensure that the data comes from a trusted source.
API Keys are a breeze to use - they're short, static, and, unless revoked, don't expire.
It is used to identify the source of the data and ensure that the data comes from a trusted source.
API Keys are a breeze to use - they're short, static, and, unless revoked, don't expire.
1๏ธโฃ API keys need to be unique and random
The best practice is to use API keys with Alphanumeric and special characters.
It may look like this:
1713e4b8-1e1e-4e06-9869-84cba00e7452
The best practice is to use API keys with Alphanumeric and special characters.
It may look like this:
1713e4b8-1e1e-4e06-9869-84cba00e7452
2๏ธโฃ API keys have to be stored securely
Let's explain how to store them securely.
It's very risky to store the raw version of the API in our database.
Why? Because your DB may become compromised, and intruders get all the API keys used by a system.
Let's explain how to store them securely.
It's very risky to store the raw version of the API in our database.
Why? Because your DB may become compromised, and intruders get all the API keys used by a system.
The best way to avoid this from happening is to use the following process:
1. Generate an API key for the user and show it to the user
2. Hash the API key and store the hashed version in DB
1. Generate an API key for the user and show it to the user
2. Hash the API key and store the hashed version in DB
3. Next time the user tries to authenticate, we use the API key provided, hash it, and compare the hashed version against the one stored in the DB
4. If they match user can access the resource
4. If they match user can access the resource
As we store the hashed version of the key on the server, we can show the API key to the user only once, exactly after it was generated.
So if the user forgot his API, he must create another one and revote the forgotten one.
So if the user forgot his API, he must create another one and revote the forgotten one.
3๏ธโฃ Restrict access to your API keys
If the user requires just read data, and there is no requirement to modify them, the generated API key should have restricted access to the resources (read-only).
Users with write requirements will get API keys with more privilege.
If the user requires just read data, and there is no requirement to modify them, the generated API key should have restricted access to the resources (read-only).
Users with write requirements will get API keys with more privilege.
4๏ธโฃ Rate limiting
Lastly, rate limiting is an essential factor in securing your API.
Rate limiting restricts access to the API for a specified number of requests in a specified time frame.
Lastly, rate limiting is an essential factor in securing your API.
Rate limiting restricts access to the API for a specified number of requests in a specified time frame.
If the number of requests exceeds, the API won't return and process the request.
Hope you enjoyed this thread.
If you found this thread useful, follow @Rapid_API ๐๐
If you found this thread useful, follow @Rapid_API ๐๐
Loading suggestions...