All geek questions in one place

How to create a strong api key

I want to create a secure REST API

If I see the Google API, for example, the KEY API is generated based on the domain.

I got two questions from this:

First, is it true / right using a one-way hash? If so, how, if someone knows the hash method and domain, so he can generate the api key and use it. and what is the hash method / function that I can use?

Secondly, as a client makes a desktop application, how can he generate an API key, access to which from the desktop, now a website with a domain URL. I mean, they can generate an api key because they don't have a url.

Is there a good way? How to create a secure api and how to create an api key?

btw i'm using php

+6
source share
4 answers

  • you can use and mix many hash methods with an additional salt, which can be based on a domain + other logic that will be very difficult to guess or crack (depends on which hash algorithms you will use and other things) if someone doesn’t knows how to do it. you can also generate a UUID and use it as an api key (maybe I will use it), http://en.wikipedia.org/wiki/Uuid version 4, for example, you can check its implementation details, or even think about some improvements are easy.

  • not quite sure what you mean.

+3
source

If you plan on using a one-way hash, you should definitely look into the pickle. You can generate something like a 10-character random string (this will be your salt), either add or add salt to the domain (which you originally wanted to hash), and then transfer it using the hash algorithm along the same path of your choice.

I assume that you are storing the API keys in some kind of database. You must first do what I explained above, and then save this salty and hashed password in your database along with the random salt that you created. Thus, if someone knows the hashing algorithm that you use, they will still need to get the salts. If you make your salt random (as I said earlier), they most likely will not be able to guess it :)

There is one more step if you plan to use this approach. When checking the correctness of the API key, you must take the given API key, go through the table and find the salt that you used in this API key (you can query the table using the username), add or add this salt to, and then send it through the same hashing algorithm. If it matches that in your database, this is the right key!

Hope this helps! :)

+2
source

So, if you have a database table that stores API keys and clients using them, you will create unique keys for all clients. You can easily randomize characters, optionally use them and save as a key.

eg.

$length = 16; // 16 Chars long $key = ""; for ($i=1;$i<=$length;$i++) { // Alphabetical range $alph_from = 65; $alph_to = 90; // Numeric $num_from = 48; $num_to = 57; // Add a random num/alpha character $chr = rand(0,1)?(chr(rand($alph_from,$alph_to))):(chr(rand($num_from,$num_to))); if (rand(0,1)) $chr = strtolower($chr); $key.=$chr; }

If you want to use this hash, you can use MD5 or SHA1, but you will need to do a backward comparison in the database, for example.

 SELECT * FROM api_keys where MD5(key) = INPUT

I hope this helps

+1
source

This function will return a random string every time. This will help you generate the API key and secret by calling twice and storing the value in a variable. This is an easy way to generate a new key every time.

 function generateRandomString($length = 30) { $characters='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0987654321'.time(); $charactersLength = strlen($characters); $randomString = ''; for ($i = $length; $i > 0; $i--) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString; } I think this is simple and usefully.
0
source

Source: https://habr.com/ru/post/899678/

More articles:


All Articles