how to create strong api key

php api api-key
14,623

Solution 1

  1. you can use and mix many hash methods with additional salt, which can be based on domain+other logic, that will be very difficult to guess or crack (depends what hash algorithms you will use and other things), unless someone knows how its done. you can also generate UUID and use it as api key(probably i would use that), http://en.wikipedia.org/wiki/Uuid version 4 for example, you can check the implementation details of it, or even think of some improvements easily.

  2. not quite sure what you mean there.

Solution 2

If you plan on using a one way hash, you should definitely look into salting. You can generate something like a 10 character random string (this will be your salt), either append or prepend the salt to domain (what you initially wanted to hash), then pass it through a one way hashing algorithm of your choice.

I'm guessing you're storing your API keys inside some sort of database. You would first do what I explained above, then store that salted and hashed password in your database along with the random salt you generated. This way if someone knows the hashing algorithm you're using, they would still need to get their hands on the salt. If you make your salt random (like i said earlier), they most likely won't be able to guess it :)

There's one additional step if you plan on using this approach. When checking if the API key is correct, you would take the given API key, go through your table and find the salt you used on that API key (you can query the table using the users username), append or prepend that salt to the key, then send it through the same hashing algorithm. If it matches the one in your database, it's a correct key!

Hope this helps! :)

Solution 3

Ok, so if you have a database table storing API keys and clients using them, you would build unique keys for all clients. You can easily randomize characters, optionally hash them and store that as the key.

eg.

$length = 16; // 16 Chars long
$key = "";
for ($i=1;$i<=$length;$i++) {
  // Alphabetical range
  $alph_from = 65;
  $alph_to = 90;

  // Numeric
  $num_from = 48;
  $num_to = 57;

  // Add a random num/alpha character
  $chr = rand(0,1)?(chr(rand($alph_from,$alph_to))):(chr(rand($num_from,$num_to)));
  if (rand(0,1)) $chr = strtolower($chr);
  $key.=$chr;
  }

If you want to hash this, you can use MD5 or SHA1 but you will need to reverse compare in the database, eg.

SELECT * FROM api_keys where MD5(key) = INPUT

I hope this helps

Solution 4

This Function will return Random string every time. This will help you to generate API Key and Secret by calling two times and store value into the variable.This is the simple way to generate every time new key.. 

function generateRandomString($length = 30)
{
$characters='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0987654321'.time();
$charactersLength = strlen($characters);
$randomString = '';
  for ($i = $length; $i > 0; $i--)
  {
    $randomString .= $characters[rand(0, $charactersLength - 1)];
  }
  return $randomString;
}


I think this is simple and usefully.
Share:
14,623
Ahmad
Author by

Ahmad

Updated on June 24, 2022

Comments

  • Ahmad
    Ahmad almost 2 years

    I want create a secure REST API

    If i see the google API for example, the API KEY is generated based on domain.

    from this i got two question :

    First, is that true/right using one way hash ?, if yes how if someone know the hash method and the domain, so he can generate api key and use it. and what hash method/function that i can use ?

    The second is, how if client make a desktop application, how he can generate API KEY which accessed from desktop, now a website that have a domain url. i mean, they can generate api key because not have url.

    is there any good way ?, how to create a secured api and how to create a api key ?

    btw i'm using PHP

  • Keenora Fluffball
    Keenora Fluffball over 12 years
    You also could add things like the time of creation or the username / userid of the api user, if you have no url.
  • Ahmad
    Ahmad over 12 years
    for number 2, if the API_KEY is generated based on domain url. how if desktop application can use the API key ?
  • Prof
    Prof over 12 years
    You dont need to generate the API key using the domain as a factor. As mentioned in my answer, you can generate any key using randomized characters, and if you wanted further logic, use a form of registering the api key with the website allowing it to hash the generated key with a client id etc. It's all very flexible and depends entirely on what you want to acheive

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cash out virtual credit with PayPal API
Strange characters and encoding while using twitter API
Laravel Passport API: createToken get id
How to get api data using jquery ajax?
Getting followers and following with Instagram APIs
Laravel Api update and delete function
Unsupported media type for xml php curl request
How to set header for all requests in route group
Get user birthday with Google API
How can I download/upload images in a REST API?