How do large corporations store API keys?

Question

When FaceBook or Google give me an API key, are they just storing it in a database?

Unlike a password, where you can hash and salt it before putting it in the database, it seems to me that a key needs to be stored as-is (or else in a reversible form) so that they can provide it to me upon request.

My concern is with storing immediately usable information in my databases.

I understand that the exact method these companies use is only speculation, unless you are a past employee or have unique insider information, but I'm wondering if there is a most commonly accepted best-practice.

score 7 · Accepted Answer · answered Dec 23 '15 at 13:58

API keys are technically just long passwords. It's altogether possible that a service provider would compute a new key, include it in an email to you, salt it, hash it, store the hash and then throw away the original.

(If you re-request it they can just re-generate a new key and send that - who's going to complain? Certainly not you, since you just declared that you don't know the old key anymore.)

How do large corporations store API keys?

1 Answers1