Home > Software engineering >  How to generate and manage API Keys in ASP .NET Core
How to generate and manage API Keys in ASP .NET Core

Time:05-04

I'm building an API Server with ASP .NET Core. I needed to generate and manage API Keys. So i searched about that, and i found 'Azure Key Vaults'. I thought it might be a solution, but it was paid service. So i wondered what is general way to generate and manage API Keys in ASP .NET Core. I will be thankful if you help me.

CodePudding user response:

It depends on your logic and how you would like the API key to generate if you are doing it by yourself.

You could refer to Simple and secure custom API Keys using ASP.NET Core to generate API keys.

If you are consuming the APIs in your project then those APIs will provide you with the keys.

Further, It looks like you are concerned about storing/managing the API keys.

In the Development environment, you could try to store it in the AppSettings.json, or you could store it using the Environment variables or you could try to use Secret Manager.

It is quite risky and not recommended to rely on these methods to store the API keys for the production environment. For the production environment, I would suggest you store the API keys in the Azure Key Vault. I understand that you need to pay to use it but it is the recommended approach to securely store the API keys.

References:

  1. How to store app secrets for your ASP .NET Core project
  2. Safe storage of app secrets in development in ASP.NET Core

CodePudding user response:

Azure Key Vault is great but it has some drawbacks. It costs, isn't that fast and it can become a burden with lots of Keys. There's an AZ303 question about making multiple key vaults to scale.

You know the AppConfig has a FREE tier and you can store your API keys in there: https://azure.microsoft.com/en-us/pricing/details/app-configuration/

For Database Connection Strings I'd still use Azure Key Vault, for API keys I wouldn't worry about storing in Azure App Config if there's only a few dozen and its not for externally used services.

  • Related