So I’ve had this idea for an API for a while but the problem I keep coming back to is authentication. I’m using rocket to actually code it. I looked through the rocket docs and it looks like the closest thing to API key authentication it has are cookies.
I then went and looked at some other APIs to see if I can copy their layouts and it looks like a lot of them use an API key and then a secret API key for authentication. Did some more googling and stackoverflow said that it’s more secure to use a pair like that.
So that leaves me with the actual question: how do you actually implement this feature? Do you just generate API keys and throw them a database to be looked up later? Should they be written/read to a file to be used later(probably not a good option I’d guess).
Just for reference I’m using rocket, sqlx and postgres.
Sweet, thanks for the link! I didn’t realize it was that complicated.
Do you know if there’s a crate or library that already implements this functionality that I can pull from?
I didn’t mean to make it sound complicated! What is the application if you don’t mind my asking? Basically the paranoia level you need increases with the threat level ;). I’m afraid I don’t know anything about the crate world. I’m sure there is an HMAC function in some Rust library though.