chore(docs): Add section for retrievable vs irretrievable keys

LauraBeatris · Apr 9, 2024 · dc060f3 · dc060f3
1 parent 467c6b4
commit dc060f3
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/docs/pages/design/node/index.md b/docs/pages/design/node/index.md
@@ -98,4 +98,10 @@ The `Auth` object should contain an identifier for the non-user principal making
 
 #### Security considerations
 
-The hashed key should be returned in the response for better security. When attempting to verify the API Key, then the `key` argument provided should be hashed and compared to the stored hashed key. If they match, then the API Key is valid.
+API-key implementations is divided into two groups: **Retrievable** and **Irretrievable**. Each have their security tradeoffs.
+
+**Retrievable:**
+
+The keys are stored via a one-way encryption process so they can never be retrieved, or stolen from the database in a worse case scenario. Stripe and Amazon AWS use this approach.
+
+[Unkey](https://unkey.dev/docs/security/overview) applies a similar concept, where the hashed keys get stored. When attempting to verify the API Key, then the `key` argument gets hashed and compared to the stored hashed key. If they match, then the API Key is valid.