I want create a secure REST API
If i see the google API for example, the API KEY is generated based on domain.
from this i got two question :
First, is that true/right using one way hash ?, if yes how if someone know the hash method and the domain, so he can generate api key and use it. and what hash method/function that i can use ?
The second is, how if client make a desktop application, how he can generate API KEY which accessed from desktop, now a website that have a domain url. i mean, they can generate api key because not have url.
is there any good way ?, how to create a secured api and how to create a api key ?
btw i'm using PHP
you can use and mix many hash methods with additional salt, which can be based on domain+other logic, that will be very difficult to guess or crack (depends what hash algorithms you will use and other things), unless someone knows how its done. you can also generate UUID and use it as api key(probably i would use that), http://en.wikipedia.org/wiki/Uuid version 4 for example, you can check the implementation details of it, or even think of some improvements easily.
not quite sure what you mean there.