Thanks for the read. I have a question regarding the "The algorithm behind an API key system" - Why do you need the salt for? Seems that if you generate the random api-key, and not the user, you can guarantee strong enough entropy. Also, I didn't understand - is it a unique salt for each api-key? how do you retrieve it? all the client has is the secret, you don't know the salt at the time of the validation