API Key Authentication Best Practices
zuplo.comThe checksum validation was something I hadn't come across before. Interesting way to minimize the load on the API key store.
Yeah, some folks might consider going further and use hashes that salted or one-way encrypted via key so that nobody else can recreate the checksum. Some performance tradeoffs but can prevent some other vectors like cache-filling etc.
With regards to secret scanning, a shout-out to the "secret-token" URI scheme https://datatracker.ietf.org/doc/html/rfc8959
Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).
Regarding retrievable vs. irretrievable, I think is a matter of who do you delegate the ownership of the security. Using Irretrievable, you are transferring that to your users, which in a lot of scenarios just store them in plain text in non secure places.
I think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.
Never thought of it that way, and honestly this is so correct. Some of my PATs are stored in Apple Notes because I need them every so often. I guess I could use something like 1Password to store them securely but it's just another transfer of ownership and trust.
Author of the article here - look forward to any discussion here. Curious how many folks have already implemented something like this themselves... did you make different decisions?