I'd like to implement a RESTful API service over HTTP that developers can call from their server side environments.
I intend to use a cryptographically secure pseudo-random number generator (CSPRNG) to generate keys and then convert the bits to a text-friendly encoding format (say base58). e.g. a random 256-bit number of say 0xbcd612439baf13189ee65469306651c341212cfea9b887fd0ce0bb2d4e95e97a
would be base58 encoded to Di8yS3NxymgwuaD6Ft4B7Yi6GdW5hbmLdWYJm22YBZRj
.
My API endpoint would be use HTTP with TLS (e.g. https://example.com/api/v1
). The HTTP request header would be used to send the developer key in the following way:
Authorization: Bearer Di8yS3NxymgwuaD6Ft4B7Yi6GdW5hbmLdWYJm22YBZRj
I aim to store the SHA256 hash of the developer key in an SQL database server-side. I plan uses a constant time comparison to compare the calculated hash to the corresponding hash from the database.
Is the above scenario good/bad practice?
If not, why and what should I learn to make it better?
Any other tips or advice welcome please.
Edit: I posted this on Crypto-SE and another user pointed out I should have a policy for distribution/rotation/blacklisting.