A developer shares their research and hands-on experience designing an API key system for a multi-tenant sharded database architecture. The post covers API key structure (prefix, random hex, checksum), why keys are hashed before storage, and the challenge of routing requests to the correct DB shard without session cookies. Three approaches are explored: full SHA-256 hash-to-account mapping, unique per-account prefix embedding, and a custom base62/base70 encoding. Benchmarks reveal that PostgreSQL B-Tree indexes are equally efficient for long and short strings, and that JavaScript BigInt operations are surprisingly slow due to software-implemented arbitrary-precision math. The final solution uses SHAKE256 (a SHA-3 variant) to generate variable-length outputs, producing a 10-character base64url-encoded prefix that balances performance, index size, and collision resistance.
Sort: