How to Generate an API Key
11 hours ago
- #Key Management
- #API Security
- #Software Development
- Use cryptographically secure random number generator (CSPRNG) for 128 bits of randomness.
- Add human-readable prefix indicating type and environment (e.g., sk_live_).
- Store only the SHA-256 hash; never store plaintext keys; show key only once.
- Verify keys via four-step process: format validation, hashing, database lookup, scope check.
- Implement revocation and rotation with grace periods for compromised keys.
- Differentiate between secret keys (sk_) for server-side and publishable keys (pk_) for client-side.
- Follow Stripe's widely adopted API key format as a model.
- Use Express middleware for authentication in Node.js applications.
- Avoid common mistakes like hardcoding keys in frontend bundles, logging raw keys, and skipping prefixes.