I'm building an API server. It has auth and other micorservices that talk to it.
Now I want to create ApiKeys and Secrets.
I basically want to create something like this, https://mailchimp.com/help/about-api-keys/. Someone can login and generate an ApiKey and Secret that can be used to communicate with my API that I've made. This way people can make cool bots and what not.
What are the best practices I need to know and what should I look out for/keep in mind when build this? Some things I have in mind already are:
- Permissions/Roles for ApiKeys.
- Deleting keys if user account is deleted (so obviously keep a reference of who's creating the Keys)
- Obviously generate the key with some UUID.
- Secure secrets in database with a hash/encryption.
- Should ApiKeys be allowed to create more ApiKeys?
- How will these be sent? Via headers?
- List item
If you know of more things to keep in mind and "best practices" please tell!
question from:
https://stackoverflow.com/questions/65921280/best-practices-and-things-to-keep-in-mind-when-creating-apikeys-and-secret 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
