April 15, 2026

Key drama unlocked

Article URL →HN comments →

My adventure in designing API keys

Rookie dev shares a key design; commenters erupt over extra checks and “don’t build your own”

TLDR: A junior dev shared an API key design with a typo-catching “checksum.” Comments erupted: some say keep tokens simple and never build your own crypto, others applauded the learning; this matters because bad key design can risk security and scaling.

A junior product developer posted his “API keys 101” adventure—those are the secret codes you paste into apps so they can talk to a service—with a neat recipe: a readable prefix (like “gh_” for GitHub), a long random string, and a little extra “checksum” to catch typos before hitting the database. Sounds harmless? The comments turned it into Checksum Wars.

The loudest camp shouted: keep it simple and opaque. One critic pushed for plain, collision-resistant IDs (think random-looking codes), calling the extra check “overkill.” Another went full siren: do not build your own security, urging him to use established tools (think standard tokens and battle-tested libraries). A third voice mocked the performance worry entirely, saying the “extra check” won’t even register on a modern computer—if you need peekable parts, just package data in a standard format.

There were cheers, too. A supportive reader loved the math shout-out (the “birthday paradox” bit) and even dropped a plug for their own API notes at voiden.md. Meanwhile the author humbly reminded everyone he’s still learning, which only fueled the classic internet split: mentor mode vs megaphone mode. Jokes flew about “bikeshedding a 64‑character string,” and “don’t roll your own crypto” made its ritual cameo like a superhero catchphrase. In the end, the code was secondary—the comment drama stole the show.

Key Points

  • API keys are presented as tokens for authenticating public API access without sessions, with a focus on creation and design.
  • A common format includes a prefix (e.g., GitHub’s gh(o|p), Stripe’s sk_live/sk_test), a random hex string, and often a checksum for pre-DB validation.
  • API keys should be hashed and stored like passwords; plaintext is shown once at creation and not retained.
  • Some systems store only the first few characters of keys for identification and support per-key permissions and API call logging.
  • In a multi-tenant, sharded system, Approach 1 maps API key hashes to account IDs in a metashard for shard routing; tested at ~20M records with good performance, though alternatives are sought.

Hottest takes

"I don't like giving away any information what-so-ever in an API key" — calrain
"do not implement encryption related functionality yourself... This problem is solved" — usernametaken29
"The checksum is pointless... Comparing the whole sequence won’t show up in any profiler" — bob1029

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.