PHP API Key Generator

php security key generator api-key
69,346

Solution 1

There are multiple ways to generate API keys. I've used following 3 methods depending on the applications,

  1. Base62(random). Generate a large secure random number and Base-62 encode it. The key looks like "w5vt2bjzf8ryp63t". This is good for self-provisioned system. You don't have to worry about collision and inappropriate keys. You have to check database to know if the key is valid.

  2. Base62(MD5-HMAC(key, Normalize(referer))). This works great if the API is only allowed from one site. Just check the HMAC of the normalized referer and you know if the key is valid, no database access. You need to keep the HMAC key secret to do this.

  3. Human assigned friendly names like "example.com". This works great if API users are required to own a domain or they are your corporate partners.

Please keep in mind that there is no security in API keys. It's just a name assigned to your API application. More and more people are using terms like "App ID" or "Dev ID" to reflect what it really is. You have to assign another secret key if you want secure your protocol, like consumer_key/consumer_secret in OAuth.

Solution 2

Here is my simple answer to this question:

$key = implode('-', str_split(substr(strtolower(md5(microtime().rand(1000, 9999))), 0, 30), 6));

Solution 3

just use something like this (pseudo code) sha1(salt + time + mac-addr + another salt + some other random data) crc32 or md5 would also work inestead of sha1 and store it in a database and then isValid() checks the db if the key exists?

Solution 4

You can just use md5(uniqid()) and divide it into parts or format in other preferable way.

Solution 5

Well as it has been mentioned, it is all dependant on the situation. One method that I needed to use was to authenticate a referer url with a specifically assigned API key. So with the API key all that was really needed was (pseudo) key = md5(referer url + name + salt) which you then can have a checksum for. I know it has been mentioned similar to this before, but it is just that way. As for the isValid() function, all you need to do with this is compare it against the checksum and URL.

Edit: Just realised the age of the original question :S

Share:
69,346
xpepermint
Author by

xpepermint

Updated on July 14, 2021

Comments

  • xpepermint
    xpepermint almost 3 years

    Does anyone know of any API key generator script/class for PHP? The class should have method generate, that would generate a key and isValid() method, to check if the key is valid.

  • xpepermint
    xpepermint over 14 years
    That was my first thought :).
  • user3529201
    user3529201 over 14 years
    Dont forget that you can't just take the SHA1 (or any other hash) checksum and check if it's "valid", unless you provide all the other data as well...
  • dusoft
    dusoft over 14 years
    you can't find mac address of the target computer if not on your local network. don't forget!
  • nilamo
    nilamo over 14 years
    Why would you add multiple salts? That adds only in possibly confusing yourself, not in making anything more 'secure'.
  • thr
    thr over 14 years
    @nimalo: You're 100% correct, I think I ment to type "other random data" or something there to.
  • Chris Harrison
    Chris Harrison over 12 years
    Curiosity: Why specifically base62? Why not base64 for example?
  • TommyAutoMagically
    TommyAutoMagically over 12 years
    Base 62 restricts the resulting charset to (A-Za-z0-9). (26+26+10=62) This means you may be able to make certain convenient assumptions in your app about the makeup of keys. They also appear more consistent (since they are just alphanumeric) than Base64.
  • Philzen
    Philzen over 9 years
    guess it's this paragraph that turns people off: Warning: This function does not create random nor unpredictable strings. This function must not be used for security purposes. Otherwise: Nice to know it's there.
  • Martin Thoma
    Martin Thoma over 9 years
    @Philzen: Probably. password_hash might be an interesting alternative.
  • MrMedicine
    MrMedicine over 3 years
    There is security in random keys when used in combination with SSL?
  • Fulldump
    Fulldump almost 3 years
    Please, do not do that. If two requests are processed in the same millisecond (quite probable), two users will get the same api key :S
  • AHeraldOfTheNewAge
    AHeraldOfTheNewAge almost 3 years
    It makes sense, that's a great feedback! I think a quick fix is concatenating that time() function with some random number so something like: md5(time().rand()) would do better

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What's the best method to use / store encryption keys in MySQL
How to hide API Keys in AndroidManifest.xml
php not redirecting and logging in
ERROR: WSDL - SOAP-ERROR: Parsing WSDL: Couldn't load from
PHP search key in array and return its value?
MIME Type spoofing
PHP: Reassign array keys
Skip keys in array without values in a foreach loop
A better SQL string sanitization function
Symfony2 Authentication "login_check" path not found