Storing secrets and building custom API endpoints using Make

Hey everyone - I got a challenge for you!

I want to use Make to build a custom endpoint that other developers will be able to call and receive a response. I’m using Webhook and Wehbook response modules for this. The goal is to consolidate several conditional API calls and reduce complexity for developers that code the solution using the endpoint I’m building.

I even build a simple authentication with Data store - I input an API key in there, and then use the module within scenario to check whether the value of the Authorization header is present in the Data store with secrets.

This approach however is not meeting security standards, since keys can be edited and are also available to any other user of my Make instance.

What approach would you take to create the authentication mechanism in the way, so after creating an API key it cannot be edited or accessed by anyone else than me - or ideally, so even I can’t see it after I create it?

Looking forward to read about your ideas!

One possible improvement to enhance the security of your endpoint is to use an MD5 hashing technique for API key storage and verification. Here’s how the process would work:

  1. When you receive an API key, instead of storing it directly, generate an MD5 hash of the key.

  2. Store the MD5 hash in your data store without storing the actual API key itself. This way, even if someone gains access to your data store, they won’t be able to retrieve the original API key.

  3. Upon receiving an API key in your Webhook, generate an MD5 hash of the received key.

  4. Compare the MD5 hash of the received key with the stored MD5 hash in your data store. If the two hashes match, authentication is successful. If they don’t match, the key has been modified or is invalid.

By implementing this MD5 hashing approach, you maintain the security of the API key without needing to store it directly. Modifying the key will result in a different MD5 hash, preventing unauthorized access even if someone tries to tamper with the API key.