

Ask HN: Best practices for storing API key's in a database - leftnode

I'm building a publicly facing HTTP API. To authenticate against it, users have an email address and a randomly generated API key.<p>An API key is essentially a password, and common practice tells me it should be one way hashed with bcrypt just like the actual passwords in my API are. However, many other websites display the API key to user when they sign in to their account (Github, for example, does this). This means the API key is not one-way hashed.<p>So, what are the best practices for storing an API key? In plaintext? Encrypted with a real encryption protocol? If my API is ever broken into and the database downloaded, they essentially have access to everyone's account because the API keys are plaintext or decryptable.<p>Any thoughts on how to do this securely?
======
zacharydanger
If it's got to be shown in plain text to the user then it _must not_ be a one-
way hash.

HTTPS everywhere, let your users regenerate their API keys at will.

