Hashing of api keys

In my system each user can have multiple api keys. I want to hash api keys and store in a database their hashes. I’m using comeonin for this.

  1. is it sensible to store hashes of api keys rather than their plain, original values?

  2. when an api request comes in, there’s only a plain api key value in it and no user email along with it – this is my system is designed.

How should I check if an api key is valid? Will I have to do this:

given_api_plain_key = get_key_from_request()

# re-hash it again
# but how about the original salt???

given_api_hash_key = Comeonin.Bcrypt.hashpwsalt(given_api_plain_key)


case Repo.get_by(ApiKey, key_hash: given_api_hash_key) do
  nil -> IO.puts("not found")
  a -> IO.puts("gooood")
end

Or is there a better way?

Salt can be public (but should be unique for each hash). Bcrypt even stores salt in hash itself.
You can, for example, use part of the api key as a salt.

As far I know, You should only hash your passwords, as per API key and API id is already hashed values you should not hash them again.

we have API key and API Id for a user,

  api_id = UUID.uuid4(:hex) |> String.slice(0..7)
  api_key = UUID.uuid4(:hex)