存储在DB api密钥中以用于第三方服务

Question

I have a java application and I have users connecting to it with user and password. I'm using amazon services for the hosting and for the rest of the stuff in the application.

I want to make a rest call to get some data from third party service and I need the user to enter the API key for it. Each user has his own API KEY.

I don't want the user to enter the API KEY every time.

I don't want to store the API KEY as is in the DB so I tried to google it but I didn't find any pro\\elegant solution.

Do you have any idea besides encrypt and decrypt the API key using some algorithm?

Answer 1

If you want to store the API keys in a database table, then there really isn't any alternative to encrypting that data, to protect it. However, there is an alternative which does not involve storing the keys in a database. Instead, you could use JWT user tokens. Using JWT, when the user logs on, or otherwise would need to authenticate, you could prompt them to enter the API key as well. Then, you would issue a token to the user which contains the API keys in the claims section. Whenever the user would approach your service with the intention of calling an API, the JWT would be passed in, and the server could extract the API key.

Under the JWT approach, the API keys would only be stored with each of your users, and they would not be stored in your database or elsewhere on your system, at least not in any long term capacity.