API Key Security: Best Practices for Developer Platforms
Learn how to securely generate, store, and manage API keys. We cover hashing, rate limiting, rotation, and common pitfalls to avoid.
API Key Security Matters
API keys are the primary authentication method for many developer platforms. Getting them right is critical for security.
Generating Secure Keys
Use cryptographically secure random generators:
import { nanoid } from 'nanoid'
// Generate a 32-character API key with a prefix
const apiKey = `qapi_${nanoid(32)}`
The qapi_ prefix makes keys easily identifiable in logs and code scanning tools.
Storing Keys Securely
Never store API keys in plain text. Hash them before storing:
import { createHash } from 'crypto'
function hashApiKey(key: string): string {
return createHash('sha256').update(key).digest('hex')
}
Rate Limiting
Implement per-key rate limiting to prevent abuse:
- Free tier: 100 requests/minute
- Pro tier: 1,000 requests/minute
- Enterprise: Custom limits
Key Rotation
Provide users with the ability to rotate keys without downtime:
- Generate a new key
- Both old and new keys work during a grace period
- Old key is revoked after the grace period
Logging and Monitoring
Track API key usage for security monitoring:
- Log request counts per key
- Alert on unusual patterns
- Record last-used timestamps
QuizAPI Implementation
QuizAPI follows all these best practices. Learn more in our API documentation or manage your keys in the dashboard.
Enjoyed this article?
Share it with your team or try our quiz platform.