I’m building an API in NodeJS and an SDK for people who want to use the API to make requests to it. When someone wants to make a request, they have to pass an API key to the method they’re using. For example, a request would look something like messages.send({body: "Hello"}, "key_randomKey");.
Is it safe to send keys in requests? In this scenario, the key would be passed as a request property, it would be accessed on the actual backend server for the API and then hashed there and compared to the one in the database (keys are also created on the backend server, not on the server making the request). Is this the wrong approach? I’m wondering how to do this securely.