Should there be API secrets?

This may sound like a silly question, because passwords, of course, need to be hashed and never store the original.

However, for API secrets, as a rule, I see that they appear in the box when registering for them.

For example, if I go to the google api console and see my credentials page, I can view the secret information about my client, the same goes for twitter.

Surely api keys are just as sensitive as passwords?

Is it just because on the part of the provider you can be sure that a sufficiently strong password is generated? If this case does not provide any protection, your database is compromised.

Or is it possible because if you use token-based authentication, you are either doing a type of password provision that requires you to send your credentials along with the client ID and secret or update token so that the user can already have to compromise?

+6
source share
1 answer

I can provide several possible answers to this:

  • In some cases, the server may need to have permanent storage of the plaintext API key to satisfy usability requirements (Google and Twitter examples).
  • API- , - , , API (, , ).
  • API ( , ), , .
  • . , API, , , .

, . , , . - - , , , , . - , , . , , , , bcrypt ( MD5!) , . - .

+4

Source: https://habr.com/ru/post/1016256/


All Articles