Security Tips

INFO

⚠️ KeyAuth is an authentication API, not a client-side obfuscation service. Anyone who wishes to use our API is responsible for the protection of their code. This is a standard in the industry in other authentication services. It is also good pratice to familarize yourself with the knowledge of protecting your own code. ⚠️

There is no point in doing the steps below if you're sending requests from a server. As servers will not need this protection as the user will not be able to modify the network traffic between the server and the KeyAuth API.

GUID Setup

You are going to want to include a random GUID in the enckey paramater with the initialization request to the 1.2 endpoint. Make sure that the length of the GUID is 36 characters or less. You will send this GUID in the enckey paramater only on init (initialization), none of the other requests.

Then you will want to store this GUID along with your application secret for later reference. Example: [GUID]-[secret].

So, if my GUID that I passed in the enckey parameter was 4a59f8ca-b304-47 and my application secret is 76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f, I would want to store the string 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f for later use for the initialization response.

For initialization request responses, there is a signature header which is a SHA256 HMAC of the JSON response encoded with the application secret.

So the header is signature: 8d0a11b00f44bee4e563117db28533943f5170854f5f65e69470c59bffb7d0d5 and the JSON response is:

{
    "success":true,
    "message":"Initialized",
    "sessionid":"b8Q1f62SdW",
    "appinfo":
    {
        "numUsers":"6",
        "numOnlineUsers":"120",
        "numKeys":"1533",
        "version":"1.0",
        "customerPanelLink":"https:\/\/localhost\/panel\/wnelson03\/test\/"
    }
 }

Encoding the above JSON with my application secret 76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f on the website HMAC SHA256 ONLINE I get the following output: 8d0a11b00f44bee4e563117db28533943f5170854f5f65e69470c59bffb7d0d5. In my application, I compare these and abort the program if the do not match.

For all other responses, you're going to need the string that you saved earlier, [GUID]-[secret].

My string is 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f and the JSON response is:

{
    "success":true,
    "message":"Logged in!",
    "info":
    {
        "username":"3Y8FC2-MRHKUO-U9RH8I-GNHD2U-THK4X8-PW584D",
        "subscriptions":
        [
            {
                "subscription":"default",
                "key":"3Y8FC2-MRHKUO-U9RH8I-GNHD2U-THK4X8-PW584D",
                "expiry":"1659657607"
             },
             {
                 "subscription":"default",
                 "key":null,
                 "expiry":"1659749662"
             }
         ],
         "ip":"::1",
         "hwid":null,
         "createdate":"1659225608",
         "lastlogin":"1659363059"
    }
}

and the header that I received was signature: e2993347290077c90011694bf887975117bff08897106f9c501d75c48102f721

Encoding the JSON response that I received with the string that I saved before I made the init request, 4a59f8ca-b304-47-76489f2ba92ddf9132e28d56870004a62d30ec5b40eaf2071ae48036e7144b5f on the website HMAC SHA256 ONLINE, I get the same result as the signature e2993347290077c90011694bf887975117bff08897106f9c501d75c48102f721

Security Pratices

Security Tips#

GUID Setup#

Security Tips

GUID Setup