PHP API 密钥生成器 [英] PHP API Key Generator
问题描述
有人知道 PHP 的任何 API 密钥生成器脚本/类吗?类应该有方法 generate,它会生成一个密钥和 isValid() 方法,以检查密钥是否有效.
Does anyone know of any API key generator script/class for PHP? The class should have method generate, that would generate a key and isValid() method, to check if the key is valid.
推荐答案
有多种方法可以生成 API 密钥.我根据应用使用了以下 3 种方法,
There are multiple ways to generate API keys. I've used following 3 methods depending on the applications,
Base62(随机).生成一个大的安全随机数并对其进行 Base-62 编码.密钥看起来像w5vt2bjzf8ryp63t".这对自配置系统很有用.您不必担心碰撞和不合适的键.您必须检查数据库以了解密钥是否有效.
Base62(random). Generate a large secure random number and Base-62 encode it. The key looks like "w5vt2bjzf8ryp63t". This is good for self-provisioned system. You don't have to worry about collision and inappropriate keys. You have to check database to know if the key is valid.
Base62(MD5-HMAC(key, Normalize(referer))).如果 API 仅允许来自一个站点,这将非常有效.只需检查规范化引用者的 HMAC,您就知道密钥是否有效,没有数据库访问权限.您需要对 HMAC 密钥保密才能执行此操作.
Base62(MD5-HMAC(key, Normalize(referer))). This works great if the API is only allowed from one site. Just check the HMAC of the normalized referer and you know if the key is valid, no database access. You need to keep the HMAC key secret to do this.
人类指定的友好名称,如example.com".如果 API 用户需要拥有域或者他们是您的企业合作伙伴,这将非常有用.
Human assigned friendly names like "example.com". This works great if API users are required to own a domain or they are your corporate partners.
请记住,API 密钥没有安全性.它只是分配给您的 API 应用程序的名称.越来越多的人使用诸如App ID"或Dev ID"之类的术语来反映它的真正含义.如果您想保护您的协议,您必须分配另一个密钥,例如 OAuth 中的 consumer_key/consumer_secret.
Please keep in mind that there is no security in API keys. It's just a name assigned to your API application. More and more people are using terms like "App ID" or "Dev ID" to reflect what it really is. You have to assign another secret key if you want secure your protocol, like consumer_key/consumer_secret in OAuth.
这篇关于PHP API 密钥生成器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
