DEV Community: lamj The latest articles on DEV Community by lamj (@lamj). https://dev.to/lamj https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3835811%2Fff66b699-946c-401a-a93f-c671bdb0c9cd.jpg DEV Community: lamj https://dev.to/lamj en How I Validate API Keys Without Hitting the Database on Every Request lamj Tue, 24 Mar 2026 14:48:35 +0000 https://dev.to/lamj/how-i-validate-api-keys-without-hitting-the-database-on-every-request-5cb3 https://dev.to/lamj/how-i-validate-api-keys-without-hitting-the-database-on-every-request-5cb3 <p>Free APIs come with a lot of challenges.</p> <p>One of the biggest ones is API key validation.</p> <p>If done poorly, it can lead to:</p> <ul> <li>performance bottlenecks</li> <li>unnecessary database load</li> <li>potential security issues</li> </ul> <p>Here’s how I approached this problem.</p> <h2> Authorization and API Key Design </h2> <p>I didn’t want to validate every API key with a database query.</p> <p>So I made the key <strong>self-contained</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: PetProjects ppk_v1_1_nonce_signature </span></code></pre> </div> <p>Key format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ppk_version_userId_nonce_signature </code></pre> </div> <p>Where:</p> <ul> <li> <code>version</code> — key version</li> <li> <code>userId</code> — user identifier</li> <li> <code>nonce</code> — random value</li> <li> <code>signature</code> — HMAC signature</li> </ul> <h2> Validation Flow </h2> <p>The validation process is split into two steps.</p> <h3> 1. Fast Validation (No Database) </h3> <p>First, the key is validated locally:</p> <ul> <li>structure check</li> <li>data correctness</li> <li>HMAC signature verification</li> </ul> <p>This allows us to reject invalid or garbage keys <strong>without touching the database</strong>.</p> <h3> 2. User Check </h3> <p>If the key is valid:</p> <ul> <li>we extract <code>userId</code> </li> <li>then perform a single database query</li> </ul> <h2> Validation Code </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">validateApiKey</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">ApiKeyPayload</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">apiKey</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">ppk_</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">apiKey</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">_</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">5</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="p">[,</span> <span class="nx">version</span><span class="p">,</span> <span class="nx">userIdRaw</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">,</span> <span class="nx">signature</span><span class="p">]</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">userIdRaw</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nb">Number</span><span class="p">.</span><span class="nf">isInteger</span><span class="p">(</span><span class="nx">userId</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signature</span> <span class="o">||</span> <span class="o">!</span><span class="sr">/^</span><span class="se">[</span><span class="sr">a-f0-9</span><span class="se">]{64}</span><span class="sr">$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">signature</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">version</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">nonce</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">expectedSignature</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">API_KEY_SECRET</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">payload</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">signature</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="nx">expectedSignature</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="cm">/** * Timing-safe comparison is used here. * * A regular string comparison (===) can be vulnerable to timing attacks: * the comparison stops at the first mismatched character, * which may allow an attacker to infer parts of the signature * based on response time differences. * * crypto.timingSafeEqual performs a constant-time comparison, * preventing leakage of information about matching characters. */</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">signature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">expectedSignature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">version</span><span class="p">,</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">nonce</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Caching </h2> <p>After successful validation, the user is cached:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">apiKeyCache</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">LRUCache</span><span class="o">&lt;</span><span class="kr">number</span><span class="p">,</span> <span class="nx">CachedUserAuth</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Benefits:</p> <ul> <li>no database hit on every request</li> <li>reduced latency</li> <li>lower database load</li> </ul> <h2> Why TTL = 5 Minutes </h2> <p>The TTL is intentionally short.</p> <p>If a key leaks:</p> <ul> <li>it only works for a limited time</li> <li>then requires revalidation via database</li> </ul> <p>This is a trade-off between <strong>performance and security</strong>.</p> <h2> Final Thoughts </h2> <blockquote> <p>Don’t validate API keys with a database on every request.<br><br> Design them to be verifiable locally.</p> </blockquote> <p>If you're building a free API, this approach can significantly reduce load while keeping things simple.</p> <h2> Example </h2> <p>I’m using this approach in a free API platform I’m building:</p> <p><a href="https://pet-projects.io/en/apis" rel="noopener noreferrer">https://pet-projects.io/en/apis</a></p> webdev backend api I Built Free APIs You Can Use in 1 Minute (No Setup Required) lamj Fri, 20 Mar 2026 17:11:35 +0000 https://dev.to/lamj/i-built-free-apis-you-can-use-in-1-minute-no-setup-required-2gp8 https://dev.to/lamj/i-built-free-apis-you-can-use-in-1-minute-no-setup-required-2gp8 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd64ywuknkrc9gaunb1p3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd64ywuknkrc9gaunb1p3.png" alt="Preview" width="800" height="448"></a><br> Every developer has faced this problem:</p> <p>You need an API for a pet project, testing, or learning…<br><br> and suddenly you’re stuck.</p> <ul> <li>APIs are overcomplicated </li> <li>Documentation is confusing </li> <li>Or everything is locked behind a paywall </li> </ul> <p>So I decided to build something simpler.</p> <h2> The idea </h2> <p>I created a set of <strong>free APIs with instant access</strong>.</p> <ul> <li>No setup. </li> <li>No waiting. </li> <li>No friction.</li> </ul> <p>You open the page — and you can start using it immediately.</p> <p>👉 Explore the API instantly<br> <a href="https://pet-projects.io/en" rel="noopener noreferrer">https://pet-projects.io/en</a></p> <h2> 🔥 Instant Playground </h2> <p>Instead of reading long docs first, you can just try it:</p> <ul> <li>Ready-to-use requests </li> <li>Code examples in 6 languages </li> <li>Real responses </li> </ul> <p>Requests are sent in real-time, so you can see how the API behaves.</p> <p>To use it in your own projects, you’ll need an API key.</p> <p>Just <strong>sign in</strong> (via OAuth or email) — your API key will be generated and applied automatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mbbk0p8nj6g21nr7ph9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mbbk0p8nj6g21nr7ph9.png" alt="Playground Screenshot" width="800" height="824"></a></p> <h2> Example APIs </h2> <p>Here are a few things you can already use:</p> <ul> <li>JSON storage API </li> <li>REST Free API</li> <li>REST Todos API </li> <li>GraphQL Todos API</li> <li>(more coming soon — including WebSocket API)</li> </ul> <h2> Why I built it this way </h2> <p>Most platforms optimize for:</p> <blockquote> <p>monetization first, developer experience second</p> </blockquote> <p>I wanted the opposite:</p> <blockquote> <p><strong>Developer experience first</strong></p> </blockquote> <ul> <li>Minimal time to first request </li> <li>Clean UI </li> <li>No unnecessary steps </li> </ul> <h2> Try it yourself </h2> <p>You can test everything here:</p> <p><a href="https://pet-projects.io/en" rel="noopener noreferrer">https://pet-projects.io/en</a></p> <p>Or jump directly into a playground and start sending requests.</p> <h2> Feedback </h2> <p>If you have ideas or feedback — I’d love to hear it.</p> <p>This is just the beginning, and I’m actively improving the platform.</p> api webdev backend frontend