So I’ve had this idea for an API for a while but the problem I keep coming back to is authentication. I’m using rocket to actually code it. I looked through the rocket docs and it looks like the closest thing to API key authentication it has are cookies.
I then went and looked at some other APIs to see if I can copy their layouts and it looks like a lot of them use an API key and then a secret API key for authentication. Did some more googling and stackoverflow said that it’s more secure to use a pair like that.
So that leaves me with the actual question: how do you actually implement this feature? Do you just generate API keys and throw them a database to be looked up later? Should they be written/read to a file to be used later(probably not a good option I’d guess).
Just for reference I’m using rocket, sqlx and postgres.
Don’t forget to add some salt to that hash.
why would you need to salt long random strings?
also if you salt them you have to have an id too so you can look up who’s api key it is. otherwise you can just look up the key hash to get everything
why would you need to salt long random strings?
also if you salt them you have to have an id too so you can look up who’s api key it is. otherwise you can just look up the key hash to get everything