I'm building a Node.js application that primarily serves APIs. These APIs fall into two categories:
- User APIs - to access specific user-endpoints like GET /users/:id/purchases
- Admin APIs - allows the company / customer consuming our APIs to call admin-level endpoints like POST /users (to create a new user)
I am already securing user APIs using OAuth access tokens and refresh tokens. What is the best practice to secure my admin APIs? To be more specific, I'm looking to implement a solution like this - https://mailchimp.com/help/about-api-keys/.
The idea is to let my customer log into our admin app to create API keys so they can call our admin APIs:
- How do I generate keys similar to those generated by MailChimp?
- How do I validate these keys on the server using Node.js?
I've found dozens of articles that talk about JWTs but I doubt they are the right solution for this particular use case.