API Key Security: Best Practices for Developer Platforms

API Key Security Matters

API keys are the primary authentication method for many developer platforms. Getting them right is critical for security.

Generating Secure Keys

Use cryptographically secure random generators:

import { nanoid } from 'nanoid'

// Generate a 32-character API key with a prefix
const apiKey = `qapi_${nanoid(32)}`

The qapi_ prefix makes keys easily identifiable in logs and code scanning tools.

Storing Keys Securely

Never store API keys in plain text. Hash them before storing:

import { createHash } from 'crypto'

function hashApiKey(key: string): string {
  return createHash('sha256').update(key).digest('hex')
}

Rate Limiting

Implement per-key rate limiting to prevent abuse:

• Free tier: 100 requests/minute
• Pro tier: 1,000 requests/minute
• Enterprise: Custom limits

Key Rotation

Provide users with the ability to rotate keys without downtime:

1. Generate a new key
2. Both old and new keys work during a grace period
3. Old key is revoked after the grace period

Logging and Monitoring

Track API key usage for security monitoring:

• Log request counts per key
• Alert on unusual patterns
• Record last-used timestamps

QuizAPI Implementation

QuizAPI follows all these best practices. Learn more in our API documentation or manage your keys in the dashboard.