Security questions

[talentlessguy]

Hi, I would like to use Unkey in my project but I have a few questions regarding security.

• Why is Unkey secure? What makes it secure?
• Where are API keys stored? On a Planet scale db instance?
• Are the API keys encrypted in any way?

[chronark]

Hey @talentlessguy

We are never storing the keys themselves, we generate it and pass it to you and you should not store it either but give it to your user.

For key management each key has a unique id, which you can use to update its properties or delete, but the key id can never be used to verify the key itself.

We use planetscale as database provider and only store a sha256 hash of the key as reference.
When you ask unkey to verify a key, we hash it and compare it to the hash in the db.

Hope that answers your concerns, let me know if I can help you any further

[chronark]

@perkinsjr wrote a much better version of this here :)

[talentlessguy]

Thanks for such detailed answer! Now it's clear to me