A secure Rust library for generating and validating API keys with built-in security best practices.
- Cryptographically secure key generation (192-bit entropy)
- Argon2id hashing (memory-hard, OWASP recommended)
- BLAKE3 checksums (2900x faster DoS protection)
- Constant-time verification (prevents timing attacks)
- Automatic memory zeroing (protects sensitive data)
- Key expiration (time-based access control)
- Key revocation (instant access denial via stored hash)
use api_keys_simplified::{ApiKeyManager, Environment, KeyConfig, HashConfig};
// Generate with checksum (enabled by default - 2900x faster DoS protection)
let manager = ApiKeyManager::init_default_config("myapp_sk")?;
let api_key = manager.generate(Environment::production())?;
// Show to user once (they must save it)
println!("API Key: {}", api_key.key().expose_secret());
// Store only the hash
database.save(api_key.hash());
// Later: verify incoming key (checksum checked first)
let status = manager.verify(provided_key, stored_hash)?;
match status {
KeyStatus::Valid => { /* grant access */ },
KeyStatus::Invalid => { /* reject - wrong key */ },
}For complete documentation, see the library README or visit docs.rs.
api-keys-simplified/
├── crates/
│ └── api-keys-simplified/ # Main library crate
└── Cargo.toml # Workspace configuration
Licensed under the Apache License, Version 2.0.
Report vulnerabilities to: sandip@ssdd.dev
- Key expiration support
- Key versioning
- Key rotation
- Fix timing attack in dummy_load
- Zero all intermediate string allocations
- Switch to ZII or a hybrid (ZII + RAII) approach for easier memory management.
- Write e2e tests to ensure memory zeroization
- Write e2e tests to verify prevention of side-channel attacks
Contributions welcome!