how to create strong api key

Question

I want create a secure REST API

If i see the google API for example, the API KEY is generated based on domain.

from this i got two question :

First, is that true/right using one way hash ?, if yes how if someone know the hash method and the domain, so he can generate api key and use it. and what hash method/function that i can use ?

The second is, how if client make a desktop application, how he can generate API KEY which accessed from desktop, now a website that have a domain url. i mean, they can generate api key because not have url.

is there any good way ?, how to create a secured api and how to create a api key ?

btw i'm using PHP

Answer 1

1. you can use and mix many hash methods with additional salt, which can be based on domain+other logic, that will be very difficult to guess or crack (depends what hash algorithms you will use and other things), unless someone knows how its done. you can also generate UUID and use it as api key(probably i would use that), http://en.wikipedia.org/wiki/Uuid version 4 for example, you can check the implementation details of it, or even think of some improvements easily.

2. not quite sure what you mean there.

Answer 2

If you plan on using a one way hash, you should definitely look into salting. You can generate something like a 10 character random string (this will be your salt), either append or prepend the salt to domain (what you initially wanted to hash), then pass it through a one way hashing algorithm of your choice.

I'm guessing you're storing your API keys inside some sort of database. You would first do what I explained above, then store that salted and hashed password in your database along with the random salt you generated. This way if someone knows the hashing algorithm you're using, they would still need to get their hands on the salt. If you make your salt random (like i said earlier), they most likely won't be able to guess it :)

There's one additional step if you plan on using this approach. When checking if the API key is correct, you would take the given API key, go through your table and find the salt you used on that API key (you can query the table using the users username), append or prepend that salt to the key, then send it through the same hashing algorithm. If it matches the one in your database, it's a correct key!

Hope this helps! :)

Answer 3

Ok, so if you have a database table storing API keys and clients using them, you would build unique keys for all clients. You can easily randomize characters, optionally hash them and store that as the key.

eg.

$length = 16; // 16 Chars long
$key = "";
for ($i=1;$i<=$length;$i++) {
  // Alphabetical range
  $alph_from = 65;
  $alph_to = 90;

  // Numeric
  $num_from = 48;
  $num_to = 57;

  // Add a random num/alpha character
  $chr = rand(0,1)?(chr(rand($alph_from,$alph_to))):(chr(rand($num_from,$num_to)));
  if (rand(0,1)) $chr = strtolower($chr);
  $key.=$chr;
  }

If you want to hash this, you can use MD5 or SHA1 but you will need to reverse compare in the database, eg.

SELECT * FROM api_keys where MD5(key) = INPUT

I hope this helps

Answer 4

This Function will return Random string every time. This will help you to generate API Key and Secret by calling two times and store value into the variable.This is the simple way to generate every time new key..

function generateRandomString($length = 30)
{
$characters='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0987654321'.time();
$charactersLength = strlen($characters);
$randomString = '';
  for ($i = $length; $i > 0; $i--)
  {
    $randomString .= $characters[rand(0, $charactersLength - 1)];
  }
  return $randomString;
}


I think this is simple and usefully.