Menu
In my project the user will provide an API key and I want to compare it to one's in the database. The only thing the server will have is the plain text key being provided in the request headers.
In bcrypt I want to find this key in the database to validate it. The only issue is that the values in the database are hashed and salted. bcrypt.compare() could work, but only if I had something like the user's email to specifically find one document in the database which I could compare the key to.
Is cycling through each document and comparing the keys my only option, or is there a more efficient method?
466
asked Dec 14 '25 20:12
Typically you would also send a client id of some sort with the request (not just the api key) for this very purpose, to know which key to check.
Going through many keys will be very slow, that's kind of the point. Storing more info (like some kind of a lookup) would weaken your implementation and you should probably not do that. In a usual design you would just have a username or client id or whatever you call it.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
