Secure API Key Generator & Validator (Server-side)
Secure API Key Generator & Validator helps you implement production-grade API authentication in Bubble applications without storing sensitive secrets in your database.

Instead of saving API keys in plain text, this plugin generates keys that can be verified cryptographically while ensuring the original secret is never stored. This approach significantly reduces the risk of key exposure in the event of a database leak.

The plugin follows security patterns used by platforms such as Stripe, Supabase, and AWS.

Key format

Generated API keys use the following structure:

<prefix>.<env>.<kid>.<secret>

Example:

swpk.live.0193f6b2-9f4b-7c2d-b2a1-6e9d9c6e8c4a.Np7K2sY9QhF3xV8cLm2RwT6uZp4JkA1b

Where:

• prefix identifies the product or application
  
• env specifies the environment (test or live)
  
• kid is a unique key identifier (UUID-based)
  
• secret is a randomly generated private value
  

Instead of storing the full API key, the plugin returns:

• a unique salt
  
• a SHA256 hash of the salt combined with the secret
  
• a key identifier for reference
  

This ensures:

• The full API key is never stored in the database
  
• The secret cannot be reconstructed
  
• Key validation remains extremely fast
  
• The system is suitable for high-frequency API usage
  

The plugin works entirely server-side and is designed for performance-sensitive use cases such as:

• API authentication
  
• SaaS integrations
  
• webhook verification
  
• multi-tenant architectures
  
• secure backend workflows
  

How it works

Step 1 — Generate an API key

Use the generate_api_key action.

Inputs:

• prefix → identifies your product (example: swpk)
  
• env → environment (test or live)
  

Outputs:

• api_key → the full key (display once to the user)
  
• env → environment
  
• kid → key identifier
  
• salt → random salt
  
• hash → SHA256(salt + secret)
  
• key_identifier → non-sensitive identifier for logs or UI
  

Store the following fields in your database:

• env
  
• kid
  
• salt
  
• hash
  

Do NOT store the full API key.

Step 2 — Verify an API key

Use the verify_api_key action when an API request is received.

Inputs:

• api_key → the key provided by the client
  
• prefix → expected prefix
  
• kid → stored key id
  
• salt → stored salt
  
• hash → stored hash
  

Output:

• valid → true or false
  
• env → environment extracted from the key
  
• reason → validation result
  

Typical workflow:

• receive API key via Authorization header
  
• extract the kid
  
• retrieve stored salt and hash
  
• call verify_api_key
  
• allow or reject the request
  

Security design

The plugin uses salted SHA256 hashing:

hash = SHA256(salt + secret)

Because the secret is never stored:

• Even a database breach cannot expose valid API keys
  
• Keys cannot be reconstructed by developers or attackers
  
• Each key uses a unique salt
  
• Timing-safe comparison prevents timing attacks
  

Use cases

• secure Bubble APIs
  
• SaaS authentication systems
  
• payment integrations
  
• webhook signature validation
  
• multi-environment setups (test/live)
  
• reusable authentication infrastructure
  

Why this plugin exists

No-code tools allow teams to build products faster than ever. However, security standards should remain the same as traditional development environments.

This plugin helps developers implement robust authentication patterns without needing advanced cryptography knowledge.

License

This plugin is provided for free to support the Bubble developer community.

You are free to use it in commercial and non-commercial projects.

No warranty is provided. Always review your application security architecture before deploying to production.