4

When FaceBook or Google give me an API key, are they just storing it in a database?

Unlike a password, where you can hash and salt it before putting it in the database, it seems to me that a key needs to be stored as-is (or else in a reversible form) so that they can provide it to me upon request.

My concern is with storing immediately usable information in my databases.

I understand that the exact method these companies use is only speculation, unless you are a past employee or have unique insider information, but I'm wondering if there is a most commonly accepted best-practice.

Birrel
  • 259
  • 2
  • 5

1 Answers1

7

API keys are technically just long passwords. It's altogether possible that a service provider would compute a new key, include it in an email to you, salt it, hash it, store the hash and then throw away the original.

(If you re-request it they can just re-generate a new key and send that - who's going to complain? Certainly not you, since you just declared that you don't know the old key anymore.)

Kilian Foth
  • 107,706
  • 45
  • 295
  • 310
  • I suppose that's probably the safest method. I know certain services store it, so I can log in to my account and view it at a later date, but I think I like this one better. Not a fan of trusting my databases and firewalls against baddies. – Birrel Dec 23 '15 at 14:04