docs/security.md

An API key is composed of two items:

• A prefixP, which is a generated string of 8 characters.
• A secret keySK, which is a generated string of 32 characters.

The generated key that clients use tomake authorized requests isGK = P.SK. It is treated with the same level of care as passwords:

• Only a hashed version is stored in the database. The hashing algorithm is sha512.¹
• The generated key is shown only once to the client upon API key creation.

Access is granted if and only if all of the following is true:

1. The configured API key header is present and correctly formatted.²
2. A usable API key with the prefix of the given key exists in the database.³
3. The hash of the given key matches that of the API key.

API keys ≠ Security: depending on your situation, you should probably not use API keys only to authorize your clients.

Besides, it is NOT recommended to use this package for authentication, i.e. retrieving user information from API keys.

Indeed,using API keys shifts the responsibility of Information Security on your clients. This induces risks, especially if obtaining an API key gives access to confidential information or write operations. For example, an attacker could impersonate clients if they let their API keys leak.

As a best practice, you should apply thePrinciple of Least Privilege: allow only those who require resources to access those specific resources. In other words:if your client needs to access an endpoint, add API permissions on that endpoint only instead of the whole API.

Besides, it is highly recommended to serve the API overHTTPS to ensure the confidentiality of API keys passed in requests.

Act responsibly!

There aren’t any published security advisories