Google, Stripe and many other companies have public API key and Secret API key.
It is easy to generate random strings but my question is, how can I generate public and secret keys, store them and use them properly?
The public API key is to tell who the user is and the secret is to confirm their identity.
My flow is as follow: - User create an account - User activates a service (in-house) - The service return a public and a secret API key (UARRHAtPtJcLxx5RmMWo9oTrca4gRt2k, C9YS7Mhzichq2vqBuRkNJxkNci5W2Xua) - User use the public key on his/her website and the private key on the server-side
I am using nodejs and the public key is generated on demand, when the user asks for an API key:
let public = await crypto.randomBytes(32).toString('base64');
Storing the secret in a database would be like storing password in plaintext. I presume we do not want this and it needs to be hashed somehow. Do I generate a "private" key and hash it using argon2 for example? The user will never be able to see his/her key again and will need to save it right away, is this good practice?
I couldn't find much information on how this is suppose to work.
Registering the app with the API product generates the API key for accessing the APIs in that product. A string with authorization information that a client-side app uses to access the resources exposed by the API product. The API key is generated when a registered app is associated with an API product.
The key consists of code passed between an API and application services. The code calls programs from another application, and the key then identifies the end-user, the developer of the code, and the application making the API call. In this sense, the API key acts as an authentication token or a unique identifier.
API keys are used for authenticating a calling program to another API -- typically to confirm a project is authorized to connect. Project authorization rules are created and managed by the API owner or source. API keys may serve as an initial authentication or security step by passing a secure authentication token.
Technically what you are referring to are just a username and a password. The only important difference is these are typically generated by the API and very random, as opposed to a real username and password which are chosen by a user, and usually not very random. (Calling these public and private keys is a little misleading as public key cryptography is different - you don't typically need that for API keys, managing a PKI is a can of worms, and also very costly to do it properly.)
As these are technically the same as a username and a password, you want to treat them similarly. Let's call these client id (the "public" part) and client key (the "secret" part).
A few thoughts:
crypto.randomBytes()
as above is fine.log2(62^22) =~ 130.99
). You can always go longer of course, for 256 bits you would need a length of 43 with case sensitive alphanumeric.I think we can generate pair of public key and secret key (private key) using the below code..you can refer the link link to generate key pair here doc
var pk="";
var sk="";
var string= payload;
const { generateKeyPair } = require('crypto');
generateKeyPair('rsa', {
modulusLength: 4096,
publicKeyEncoding: {
type: 'spki',
format: 'pem'
},
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem',
cipher: 'aes-256-cbc',
passphrase: 'top secret'
}
}, (err, publicKey, privateKey) => {
try {
pk=publicKey;
sk=privateKey;
} catch (error) {
console.log(err)
}
});
now we have secret key and public key....so we can implement HMAC authentication...ref..go for hmac authentication doc
var hmac = crypto.createHmac('sha384', sk).update(string).digest('hex');
request.post({uri:..., json: { hmac, pk, string }, function(err, response, body) {
console.log(body);
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With