how to create strong api key

Ahmad picture Ahmad · Oct 20, 2011 · Viewed 14.1k times · Source

I want create a secure REST API

If i see the google API for example, the API KEY is generated based on domain.

from this i got two question :

First, is that true/right using one way hash ?, if yes how if someone know the hash method and the domain, so he can generate api key and use it. and what hash method/function that i can use ?

The second is, how if client make a desktop application, how he can generate API KEY which accessed from desktop, now a website that have a domain url. i mean, they can generate api key because not have url.

is there any good way ?, how to create a secured api and how to create a api key ?

btw i'm using PHP

Answer

nimmen picture nimmen · Oct 20, 2011
  1. you can use and mix many hash methods with additional salt, which can be based on domain+other logic, that will be very difficult to guess or crack (depends what hash algorithms you will use and other things), unless someone knows how its done. you can also generate UUID and use it as api key(probably i would use that), http://en.wikipedia.org/wiki/Uuid version 4 for example, you can check the implementation details of it, or even think of some improvements easily.

  2. not quite sure what you mean there.