API Keys

Secret hashed (bcrypt)
Shown once
TLS only
Per-key rate limiting
IP allowlist support
Instant revoke/rotate

Facilitator API Keys:

None required
Facilitator is public

Your Application:

YOU generate API keys for your users
Protect YOUR API endpoints
Rate limit YOUR users

Example API Key System:

import secrets
import hashlib

def generate_api_key():
    key = f"myapp_{secrets.token_urlsafe(32)}"
    key_hash = hashlib.sha256(key.encode()).hexdigest()
    
    # Store hash in YOUR database
    db.api_keys.insert_one({
        "key_hash": key_hash,
        "user_id": user_id,
        "created_at": datetime.utcnow()
    })
    
    return key  # Show to user ONCE

PreviousAuthentication NextPayment Verification

Last updated 4 days ago

Good night