The latest articles on DEV Community by Nagarjun Palavalli (@nagarjun). https://dev.to/nagarjun https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F39228%2Fa3180c84-940d-4985-8c1d-7ea27a1c9829.jpg https://dev.to/nagarjun en Nagarjun Palavalli Fri, 30 Nov 2018 07:43:49 +0000 https://dev.to/nagarjun/best-practices-to-generate-and-store-api-keys-using-nodejs-534d https://dev.to/nagarjun/best-practices-to-generate-and-store-api-keys-using-nodejs-534d <p>I'm building a Node.js application that primarily serves APIs. These APIs fall into two categories:</p> <ul> <li>User APIs - to access specific user-endpoints like GET /users/:id/purchases</li> <li>Admin APIs - allows the company / customer consuming our APIs to call admin-level endpoints like POST /users (to create a new user)</li> </ul> <p>I am already securing user APIs using OAuth access tokens and refresh tokens. What is the best practice to secure my admin APIs? To be more specific, I'm looking to implement a solution like this - <a href="https://mailchimp.com/help/about-api-keys/" rel="noopener noreferrer">https://mailchimp.com/help/about-api-keys/</a>.</p> <p>The idea is to let my customer log into our admin app to create API keys so they can call our admin APIs:</p> <ol> <li>How do I generate keys similar to those generated by MailChimp?</li> <li>How do I validate these keys on the server using Node.js?</li> </ol> <p>I've found dozens of articles that talk about JWTs but I doubt they are the right solution for this particular use case.</p> help