implementing-api-key-security-controls

# Implementing API Key Security Controls ## When to Use - Designing secure API key generation with sufficient entropy and identifiable prefixes for leak detection - Implementing server-side API key hashing (never storing keys in plaintext) with SHA-256 or bcrypt - Building key rotation workflows that allow zero-downtime key replacement for API consumers - Configuring per-key scoping to limit each API key to specific endpoints, IP ranges, and rate limits - Setting up automated monitoring for API key leakage in GitHub repos, logs, and client-side code **Do not use** API keys as the sole authentication mechanism for user-facing applications. API keys are best suited for server-to-server communication and developer access. ## Prerequisites - Secure random number generator (os.urandom, secrets module) for key generation - Database with proper encryption at rest for storing hashed API keys - Redis or similar store for key-to-metadata caching and rate limiting - Secret scanning tools (GitHub secret scanning, truffleHog, gitleaks) - Monitoring and alerting infrastructure for key usage anomalies ## Workflow ### Step 1: Secure API Key Generation ```python import secrets import hashlib import hmac import time import json from datetime import datetime, timedelta class APIKeyManager: """Manages secure API key lifecycle: generation, storage, validation, rotation.""" # Key format: prefix_base64random (e.g., sk_live_a1b2c3d4e5f6...) # Prefix identifies the key type and ...