API keys need to have the properties that they:
- uniquely identify an authorized API user -- the "key" part of "API key"
- authenticate that user -- cannot be guessed/forged
- can be revoked if a user misbehaves -- typically they key into a database that can have a record deleted.
Typically you will have thousands or millions of API keys not billions, so they do not need to:
- Reliably store information about the API user because that can be stored in your database.
As such, one way to generate an API key is to take two pieces of information:
- a serial number to guarantee uniqueness
- enough random bits to pad out the key
and sign them using a private secret.
The counter guarantees that they uniquely identify the user, and the signing prevents forgery. Revocability requires checking that the key is still valid in the database before doing anything that requires API-key authorization.
A good GUID generator is a pretty good approximation of an incremented counter if you need to generate keys from multiple data centers or don't have otherwise a good distributed way to assign serial numbers.
or a hash of a random string
Hashing doesn't prevent forgery. Signing is what guarantees that the key came from you.