0

Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.

I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:

So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.

But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.

I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.

EDIT: Users of such service would be developers utalizing this API in their product

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • 1
    Hi Ilja, have you considered OAuth? This way the token that you get is time limited and therefore can only be used / abused for a short period of time. – James Wilson May 16 '22 at 14:29
  • @JamesWilson hey, yep indeed looked at this, but in my case, I need to provide users (in this case developers that implement my api) a long lived token and secure against it, so I don't think OAuth would be right solution here. – Ilja May 16 '22 at 14:46
  • I think the question is not about node but general auth schemas. In that case you need to understand what is the use cause for your users. You definitely want each user to have uniq token etc. you can make a login endpoint which they have to hit first to GET the "token" or the [JWT](https://jwt.io/introduction) – mpod May 18 '22 at 09:07

0 Answers0