asyavee/medusa-store
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
296473d99458f8564c5cb233480f2dfdeb28fb1f
medusa-store/www/apps/resources/app/commerce-modules/api-key/tokens/page.mdx
Shahed Nasser 4fe28f5a95 chore: reorganize docs apps (#7228) 
* reorganize docs apps

* add README

* fix directory

* add condition for old docs
2024-05-03 17:36:38 +03:00

51 lines
2.2 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
export const metadata = {
title: `API Key Tokens`,
}
# {metadata.title}
In this document, youll learn how the API Key module generates, revokes, and verifies tokens.
## API Key Types
There are two types of API keys:
- `publishable`: A public key used in client applications, such as a storefront.
- `secret`: A secret key used for authentication and verification purposes, such as an admin users authentication token or a password reset token.
The API keys type is stored in the `type` field of the `ApiKey` data model.
---
## Publishable Token Generation
When you create a publishable API key, its token is generated using [the `randomBytes` method of Node.jss crypto package](https://nodejs.org/docs/latest-v18.x/api/crypto.html#cryptorandombytessize-callback). The token is `32` characters long and is hex-encoded. Its stored in the `token` field of the `ApiKey` data model.
---
## Secret Token Generation
When you create a secret API key, three tokens are generated:
- A token thats `32` characters long and hex-encoded. Its generated using the `randomBytes` method of Node.jss crypto package.
- A salt token thats `15` characters long and hex-encoded. Its also generated using the `randomBytes` method.
- A hashed token is generated from the token and salt token using [the `scrypt` method of Node.jss crypto package](https://nodejs.org/docs/latest-v18.x/api/crypto.html#x509tostring). Its `64` characters long and hex-encoded.
The salt and hashed tokens are stored in the `ApiKey` data models `salt` and `token` fields, respectively.
---
## API Key Expiration
An API key expires when its revoked using the `revoke` method of the modules main service. The method sets the API keys `revoked_at` and `revoked_by` fields accordingly.
The associated token is no longer usable or verifiable.
---
## Token Verification
To verify a token received as an input or in a request, the `authenticate` method of the modules main service goes through all non-expired API keys. It recalculates the hash token using the supplied token and the API keys `salt` field.
If the calculated hashed token matches the one in the database, the token is considered verified.
Reference in New Issue View Git Blame Copy Permalink