How to create API key and Secure Key?

Question

Usually if I consume third party api's, they all give us two keys and they are:

API Key: kind of random number or GUID

Pin/Secure Key/etc: Kind of password or OTP

Now, assuming that I am a third party and I want my API's to be consumed by retailers, I would also like to create and give these credentials to API consumers. I work in .net core. Is there any way to create these and also we have to apply security or token based security.

I am confused because I have no idea how this can be accomlished.

As I researched a few questions on stack-overflow, they suggest to use this, or this, or some use HMAC security but in HMAC, we have to mandate client also to use HMAC so that same signatures can be matched.

I am in confused state of mind. Can you please suggest some ways by which I can do this in .net core

Answer 1

Generating API Keys can basically be broken down to just generating cryptographically random strings. The following C# code snippet I had lying around generates a random hex string:

    using System.Security.Cryptography;

    public static string RandomString()
    {
        byte[] randomBytes = new Byte[64];
        using (RandomNumberGenerator rng = new RNGCryptoServiceProvider())
        {
            rng.GetBytes(randomBytes);
        }
        SHA256Cng ShaHashFunction = new SHA256Cng();
        byte[] hashedBytes = ShaHashFunction.ComputeHash(randomBytes);
        string randomString = string.Empty;
        foreach (byte b in hashedBytes)
        {
            randomString += string.Format("{0:x2}", b);
        }
        return randomString;
    }

You can easily change the length of the resulting key by using a different hash function or you can also switch the hex encoding to Base64 (Convert.ToBase64String(hashedBytes) which would replace the foreach loop) encoding which is more common when using API keys.