Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.
I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:
So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.
But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.
I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.
EDIT: Users of such service would be developers utalizing this API in their product