Any of y'all lovely folks have recommendations for storing API tokens _as an API provider_, such that someone walking off with the whole DB can't then trivially use that information to impersonate other users?
If they were passwords I'd store them after passing them through argon2, but doing argon2 validation on each request would be … challenging, in terms of load management.
Is storing the HMAC of a token, rather than the token itself, reasonable?
Owen (degenerate aspect) /
npub10c…vgtay
2025-05-06 19:34:54
Author Public Key
npub10c0nh4as9qq0jv7882zjqgf50cff399vwxhm5cd05agp28jqy0ps8vgtaySeen on
wss://relay.mostr.pubPublished at
2025-05-06 19:34:54Event JSON
{
"id": "bd8fd43fb90bd48b8f7b2719431ec54d9f871eeef25dc4020d3efb3c9e00550f",
"pubkey": "7e1f3bd7b02800f933c73a852021347e129894ac71afba61afa750151e4023c3",
"created_at": 1746560094,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.transneptune.net/users/owen/statuses/114462562331707192",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "Any of y'all lovely folks have recommendations for storing API tokens _as an API provider_, such that someone walking off with the whole DB can't then trivially use that information to impersonate other users?\n\nIf they were passwords I'd store them after passing them through argon2, but doing argon2 validation on each request would be … challenging, in terms of load management.\n\nIs storing the HMAC of a token, rather than the token itself, reasonable?",
"sig": "1a7fa751c9897c262b2bc2d3f9f0ee5fe5980a743bf8dbed5364ded0246176487534d4f9e7cde512b6fd99e91c8df60b6dde5c2fd0a48deee14214535c241e55"
}