My adventure in designing API keys
3 days ago
- #Performance Optimization
- #API Keys
- #Database Sharding
- API keys are tokens for authenticating and authorizing access to public APIs without sessions.
- Common API key format includes a prefix (e.g., gh, sk_live), random hex characters, and a checksum.
- API keys are hashed and stored in databases for security, with only the first few characters sometimes displayed.
- A multi-tenant system with sharding required routing requests to correct database shards using API keys.
- Approaches considered for mapping API keys to accounts included direct hash-to-account ID mapping, unique prefix mapping, and encoded string methods.
- Benchmarks showed full SHA-256 hashing performed better than Base-62 or Base-70 encoding due to B-Tree efficiency and slow BigInt operations in JavaScript.
- SHAKE256 with base64url encoding was chosen for reduced size and good performance, with 10-character encoding selected to minimize collision risk.
- Key learnings include insights into B-Tree indexing, hash algorithms, and the importance of thorough testing and avoiding assumptions.