https://vjay15.github.io/blog/apikeys/
Article
-
Junior dev’s walkthrough of API key design: prefix slugs, checksums, random hex
-
Explores tradeoffs between opaque tokens, encoded metadata, and checksum schemes
-
Arrives at prefix + base32(id + secret) pattern used by industry
Discussion
-
Checksum’s real purpose: help secret scanners detect leaked keys, not typo detection
-
Slug prefix primarily for automated scanners (GitHub, GitGuardian), not end users
-
Criticism: over-engineered for a simple bearer token; whole 512-bit token fits in a cache line
-
OP acknowledged as a junior learning; several commenters were supportive despite criticism
Discuss on HN