So I've had this idea for an API for a while but the problem I keep coming back to is authentication. I'm using rocket to actually code it. I looked through the rocket docs and it looks like the closest thing to API key authentication it has are cookies.

I then went and looked at some other APIs to see if I can copy their layouts and it looks like a lot of them use an API key and then a secret API key for authentication. Did some more googling and stackoverflow said that it's more secure to use a pair like that.

So that leaves me with the actual question: how do you actually implement this feature? Do you just generate API keys and throw them a database to be looked up later? Should they be written/read to a file to be used later(probably not a good option I'd guess).

Just for reference I'm using rocket, sqlx and postgres.