Auth & Data
Issue and verify programmatic API keys without ever storing the secret: show once, persist only a sha256 hash plus a display prefix, verify by hashing the bearer token.
1 file
Description
Issue and verify programmatic API keys without ever storing the secret: show once, persist only a sha256 hash plus a display prefix, verify by hashing the bearer token.
Letting users call your API with a long-lived key instead of a session: issuing keys, authenticating requests, listing and revoking keys.
Treat an API key like a password. The full key is shown to the user exactly once at creation and never again. You persist only:
sha256 hex hash of the full key (what you look up by).dd_live_ab12) so the UI can show which key is which.import { createHash, randomBytes } from "node:crypto";
const KEY_PREFIX = "dd_live_";
const raw = KEY_PREFIX + randomBytes(16).toString("hex"); // shown once
const hash = createHash("sha256").update(raw).digest("hex"); // stored
const displayPrefix = raw.slice(0, 12); // stored for the UI
On each request, take the bearer token, hash it the same way, and look up the row by that hash. Reject if not found or if revoked_at is set. Touch last_used_at opportunistically. Because you look up by the hash of the presented value, a database dump never leaks usable keys.
revoked_at, not by deleting the row, so an audit trail and last-used time survive.listKeys returns the display prefix and metadata, never the hash.Related
Added 2026-07-01. Back to the Skill Library.

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.