&gt; we search our database for short_token and hash(long_token).Sounds like some salt should be used here. Search the DB for short_token, then use the discovered salt to check the &quot;password&quot;.

But you don&#x27;t need to encode or decode anything here? Tokens are just random strings?

Don’t use base58. Even bitcoin, which originated or at least popularized base58 has moved away from it. They are a pain to encode and decode, with a naive implementation requiring a bignum library, and they don’t save you much in the end over a base32.

On iPhone the long-press-to-select doesn’t cross the underscore boundary, so you end up just selecting part of the token. Maybe you can do without those underscores?

thanks for taking a look! I&#x27;ve created an issue on the repo and should be able to address these tonight :)

Couple comments upon looking at the actual code:- You can promisify randomBytes once and reuse it rather than twice for every invocation- There shouldn’t be a default value for the company name or people will end up using it.- The company name isn’t validated so it could contain underscores which would cause issues with the short token parsing as it assumes it’s the second “chunk”- The equals comparison of the hashes for the secrets is not timing safe. It’s not as bad as if they were plain text but it does short circuit due to how string equals works. Use the actual built in timing safe equals on the Buffer hash (not the stringified hex).

I think this is an excellent idea! However, we didn&#x27;t like the aesthetic of the version that included the domain- I&#x27;ll admit it&#x27;s not great reasoning.

If you are prefixing it, why not prefix it with a full domain name? mycompany_com_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG is not much longer than mycompany_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG and allows reporting leaked secrets (for example using the GitHub scheme [1]) without having to look up the URL in some sort of registry, e.g. POST <a href="https:&#x2F;&#x2F;mycompany.com&#x2F;.well-known&#x2F;report-leaked-secrets" rel="nofollow">https:&#x2F;&#x2F;mycompany.com&#x2F;.well-known&#x2F;report-leaked-secrets</a>[1]: <a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;developers&#x2F;overview&#x2F;secret-scanning-partner-program#create-a-secret-alert-service" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;developers&#x2F;overview&#x2F;secret-scanni...</a>edit: See also the discussion from last time: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28296864" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28296864</a>

Thanks, yes I agree the &quot;.split(_)[-1]&quot; is ugly and there should be validation on the key prior to operations on it!Making an issue :)

I don&#x27;t follow what the security property is of involving sha256 against the b58 encoded value? If it serves as a checksum against tpyoss, wouldn&#x27;t one wish to include the shortToken also? Otherwise, it&#x27;s just as much attacker controlled content as the b58 version is, as best I can tellAs an implementation observation, I am also on a life-long campaign to rid the world of `split(...)[-1]` type manipulations, because they lack the context of a more rigorous &quot;parsing&quot; style. In this specific case, it allows attackers to smuggle almost arbitrary characters between the shortToken and longToken:<pre><code> checkAPIKey(&quot;alpha_BRTRKFsL_and this one time at band camp\r\nContent-Length: 0\r\n_51FwqftsmMDHHbJAMEXXHCgG&quot;,
 &quot;d70d981d87b449c107327c2a2afbf00d4b58070d6ba571aac35d7ea3e7c79f37&quot;)


</code></pre>
Also for your consideration, the code currently has duplication:<pre><code> export const extractLongTokenHash = (token: string) =&gt;
 hashLongToken(extractLongToken(token))
 &#x2F;&#x2F; ...snip...
 longTokenHash: hashLongToken(extractLongToken(token)),
 &#x2F;&#x2F; ...snip...
 ) =&gt; hashLongToken(extractLongToken(token)) === expectedLongTokenHash
</code></pre>
and my experience is that it&#x27;s so easy to remember to update one and forget to update the others

It&#x27;s the issuers company or product name. GitHub for example prefix their tokens with &quot;gh_&quot; which makes it easy to scan for tokens uploaded to repos or even across the web if they wanted.GitHub has secret scanning features built in now, with a prefix of your product name or company name you could easily create a regex of sorts to find when someone has uploaded an API key for your application to their GitHub repo and revoke the token or email them.

Can you tell more about the prefix? Not very clear to me. Is it issuer id or user id? And if it&#x27;s later and is user provided, how it helps with scanning

&gt; If you&#x27;re trying to store the secret&#x27;s hash, isn&#x27;t something like bcrypt&#x2F;scrypt preferred over raw sha256 these days?Not for this type of use case. If a secret is long and generated from a cryptographically secure source (eg &#x2F;dev&#x2F;urandom), then any cryptographic hash function is fine as brute forcing the secret itself is not feasible. A single pass of sha256 is fine and presumably you’d be doing many of these operations each second in a high throughput application.“Slow” hash functions like bcrypt or scrypt are for user provided secrets that might not have a large amount of entropy. It’s fine for something like user authentication but would be way too slow and pointless for API keys.

Appreciate the thoughts on the naming&#x2F;exceptions and thanks for taking a look at the implementation! Definitely making some adjustments tonight.I think your thought on bcrypt&#x2F;scrypt vs SHA256 is super interesting here. The long token is treated a lot like a password, so we should treat it similarly and use slow hashing. However, unlike a password an API key is repeatedly used for authentication instead of being exchanged for a session token. I don&#x27;t think this meaningfully changes anything- so I think you&#x27;re right that bcrypt&#x2F;scrypt would be a better choice!Edit: Also see koomla&#x27;s answer!

Thanks for sharing! As somebody who has been bitten before by copy-pasting a key I appreciate that as the headlining benefit :)Thoughts from an ergonomic perspective:- Base58 is nice and makes easy-to-handle values which is nice- Naming of shortToken, longToken, and token are confusing to me, because it makes it sound like all of these values are tokens&#x2F;secrets of some sort, rather than components of the token. Not to bikeshed, but what jumps to my mind is more like &quot;prefix_id_secret&quot;, which helps make it clear what role each one plays.- I don&#x27;t think keyPrefix should have a default, I think your function should raise an error if it&#x27;s not provided. Otherwise more than one user of your library is going to end up with &quot;mycompany&quot; keys in the wild.- You probably ought to validate that keyPrefix does not contain an underscore and raise an exception if it does, otherwise that way lies pain for people trying to handle these keys.Thoughts from a security perspective:- You should probably use crypto.timingSafeEquals(buffer, buffer) [1] instead of comparing strings- If you&#x27;re trying to store the secret&#x27;s hash, isn&#x27;t something like bcrypt&#x2F;scrypt preferred over raw sha256 these days?[1] <a href="https:&#x2F;&#x2F;nodejs.org&#x2F;api&#x2F;crypto.html#cryptotimingsafeequala-b" rel="nofollow">https:&#x2F;&#x2F;nodejs.org&#x2F;api&#x2F;crypto.html#cryptotimingsafeequala-b</a>

Author here: I was curious what HN would think of this token style, we&#x27;re currently using it for getseam.com . I think it has a lot of advantages over other token styles (e.g. double-click to select, standard alphabet, compatible with secret scanning). Although this is a typescript library, we originally designed this API key for use in Ruby on Rails and the pattern should be fairly portable.

Yep you&#x27;ve got it! The consumer gets the full api key containing the prefix, short token and long token, e.g. &quot;mycompany_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG&quot;. The database stores the short token, and a hash of the long token.

I wasn’t too sure based on the docs:What parts of tokens does the server store in the Database (everything but the raw long token I think?)What is sent to the consumer, and what do they need to send with the request?

Wow how did I never hear about this? I only read the first 2 paragraphs under Introduction, but it addresses all the qualms I have with base64 and its many variants.

The linked README links a draft RFC [1], the introduction section of which contains an explanation.[1] <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;draft-msporny-base58#section-1" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;draft-msporny-base58#s...</a>

from the RFC:&gt; Base58 is designed with a number of usability characteristics in mind that Base64 does not consider. First, similar looking letters are omitted such as 0 (zero), O (capital o), I (capital i) and l (lower case L). Doing so eliminates the possibility of a human being mistaking similar characters for the wrong character. Second, the non-alphanumeric characters + (plus), = (equals), and &#x2F; (slash) are omitted to make it possible to use Base58 values in all modern file systems and URL schemes without the need for further system-specific encoding schemes. Third, by using only alphanumeric characters, easy double-click or double tap selection is possible in modern computer interfaces. Fourth, social messaging systems do not line break on alphanumeric strings making it easier to e-mail or message Base58 values when debugging systems.

Why base 58? I&#x27;ve never even heard of base 58.

<pre><code> &#x2F;&#x2F; Store the key.longTokenHash and key.shortToken in your database and give
 &#x2F;&#x2F; api.token to your customer.
</code></pre>
I&#x27;m pretty sure that should be &quot;key.token&quot; instead.

Yeah, pika is more of an ID system vs. prefixed-api-key which seems to be more oriented around just API keys, which makes sense. However, advantages of timestamps in IDs are that you can create unique IDs based on the current timestamp; bits which, in other ID systems, are usually just random - which feels like a waste imo. Also, knowing when a resource was created when debugging is very helpful.

In your example, the token contains the timestamp.With prefixed-api-key, the hash of each token is stored in the database, so the timestamp can easily be added there.Most of the time I don&#x27;t see the utility in the client having the timestamp, outside of a scenario where you have a third party validate on their own (e. g. JWT w&#x2F; RSA keys). The best way you see if a token has expired is by trying to use it.

I created a similar project recently! Main difference is that I use base64 to encode unique Snowflake IDs, which are timestamped: <a href="https:&#x2F;&#x2F;github.com&#x2F;hopinc&#x2F;pika" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hopinc&#x2F;pika</a> :)

Very cool,I use something similar but a fixed length for the prefix and uppercaseBasically a copy of stripe tokens

The signature approach is interesting because it couples the short token the api key, so they&#x27;re a pair rather than totally independent. Introducing a signature changes the math to create the shortest possible API key with at least 128 bits of entropy (that are not stored server-side). But it&#x27;s worth looking into!

Nice work! May I inquire as to the design decision behind storing a hash of the long token server-side for verification of the long token, versus digitally signing the short token plus a nonce and including this signature in the API key (instead of a long token), as some other API key schemes do?Both are valid approaches of course, I&#x27;m just interested to hear your thoughts on the relative tradeoffs.

Hey, cool idea. I like it. I made a Go implementation for fun&#x2F;practice - <a href="https:&#x2F;&#x2F;github.com&#x2F;joemiller&#x2F;prefixed-api-key" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;joemiller&#x2F;prefixed-api-key</a>

My suggestion was blocklist which looks a lot like blacklist because only one letter is different. Perhaps &quot;deny list&quot; would be better. It&#x27;s what Apple is using. <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=1o9zxsxl" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=1o9zxsxl</a>

One more suggestion - replace&gt; A token can be blocklisted by its short token.With:&gt; An API Key can be blocklisted by its short token.

fixed thank you :) - and great suggestion!edit based on your edit: Added your recommendation to the README, thank you!

I like it. I&#x27;m not sure that &quot;short token&quot; is the right term for that - perhaps &quot;token id&quot;. Also the only occurrence of &quot;it&#x27;s&quot; in the README should be &quot;its&quot;: <a href="https:&#x2F;&#x2F;brians.wsu.edu&#x2F;2016&#x2F;05&#x2F;19&#x2F;its-its&#x2F;" rel="nofollow">https:&#x2F;&#x2F;brians.wsu.edu&#x2F;2016&#x2F;05&#x2F;19&#x2F;its-its&#x2F;</a>Edit: Actually, the short token is more than just a token ID - it&#x27;s also required, right? Perhaps replace:<pre><code> When we receive an incoming request, we search our database for hash(long_token)
</code></pre>
with:<pre><code> When we receive an incoming request, we search our database for hash(long_token) and short_token. A token can be blocklisted by its short_token.
</code></pre>
So I think I prefer &quot;short token&quot; to &quot;token id&quot; but perhaps there is a better name for it. If it did get renamed it would probably make sense to rename &quot;long token&quot; as well. I&#x27;ll defer to experts on this.

Show HN: Prefixed, dual-token, base58 encoded API Keys

100 points
• 8 days ago
@seveibar
Created a post

> we search our database for short_token and hash(long_token).
Sounds like some salt should be used here. Search the DB for short_token, then use the discovered salt to check the "password".

I wasn’t too sure based on the docs:
What parts of tokens does the server store in the Database (everything but the raw long token I think?)
What is sent to the consumer, and what do they need to send with the request?

Why base 58? I've never even heard of base 58.

`// Store the key.longTokenHash and key.shortToken in your database and give // api.token to your customer.`
I'm pretty sure that should be "key.token" instead.

I created a similar project recently! Main difference is that I use base64 to encode unique Snowflake IDs, which are timestamped: https://github.com/hopinc/pika :)

Very cool,
I use something similar but a fixed length for the prefix and uppercase
Basically a copy of stripe tokens

Hey, cool idea. I like it. I made a Go implementation for fun/practice - https://github.com/joemiller/prefixed-api-key

> we search our database for short_token and hash(long_token).Sounds like some salt should be used here. Search the DB for short_token, then use the discovered salt to check the "password".