I'm currently generating UUIDs in Python as follows:
import uuid
import secrets
uuid.UUID(bytes=secrets.token_bytes(16))
Is this safe to be used as an API token or access token?
UUID 1 to Generate a unique ID using MAC AddressThe uuid. uuid1() function is used to generate a UUID from the host ID, sequence number, and the current time. It uses the MAC address of a host as a source of uniqueness. The node and clock_seq are optional arguments.
You can use like as mentioned the builtin uuid module. The new secrets module released in 3.6 is also capable of creating unique tokens also. The function below creates a unique token every time it's called.
To get the API token for a user, an HTTP POST request should be sent to the Token resource. In the post body, username and password are specified in JSON format, and the response body contains a token key with an actual API Token as the value.
Access Token is used by an application to access API on behalf of a user. The two formats of tokens supported in OTK are UUID (default) and JSON Web Token (JWT).
To generate hexadecimal tokens, import the secrets package, then use the .token_hex () function, passing the length of the hex string to create as the first argument. To generate a UUID, import the uuid package and use the .uuid4 () function like this:
UUID, Universal Unique Identifier, is a python library which helps in generating random objects of 128 bits as ids. It provides the uniqueness as it generates ids on the basis of time, Computer hardware (MAC etc.). Advantages of UUID : Can be used as general utility to generate unique random id. Can be used in cryptography and hashing applications.
Generating Random id’s using UUID in Python. 1 bytes : Returns id in form of 16 byte string. 2 int : Returns id in form of 128-bit integer. 3 hex : Returns random id as 32 character hexadecimal string.
Generating hash ids using uuid3 () and uuid5 () in Python 1 Syntax. Uuid5 (namespace, string) Uuid5 uses SHA-1 hash value to create the identifier. The namespace can be – NAMESPACE_DNS : Used when name string is fully qualified domain name. 2 Example 3 Output
Two reasons that your current approach is, arguably, a safe and sound one:
secrets
is designed specifically with the purpose of generating cryptographically strong random numbers; token_bytes()
is really just a call to os.urandom()
, which in turn returns random bytes from an OS-specific randomness source.*A suggestion - uuid.uui4()
does basically this same exact thing without the overhead of calling intermediary functions:
# https://github.com/python/cpython/blob/3.5/Lib/uuid.py
def uuid4():
"""Generate a random UUID."""
return UUID(bytes=os.urandom(16), version=4)
One other suggestion regardless - you can use .hex
of the resulting UUID object to get a nice non-hyphenated string.
>>> uuid.uuid4().hex
'22c482ef3cd84c26bb49c0287828428f'
*On Unix, that's /dev/urandom
, which collects info from sources like device drivers. I.e. garbled info that is particular to the generating machine but sufficiently random and not identifiable of the host computer itself.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With