I'm building a REST API that uses API keys for authentication. I want to ensure that these API keys are stored securely in my database. If I were storing user passwords, I would use Argon2id for hashing. For other types of sensitive user data that require decryption, I would consider using AES encryption.
However, I'm unsure about the best practices for storing API keys. Specifically, I want to know:
- Should I hash API keys before storing them in the database, similar to user passwords?
- If hashing is recommended, what algorithms are best suited for this purpose?
- Are there any specific considerations or best practices for securely storing and managing API keys that differ from handling passwords or other sensitive data?
I reviewed the OWASP guidelines but couldn't find a definitive recommendation on this topic.