The 946-Millisecond Tax: Migrating API Key Auth from Bcrypt to HMAC-SHA256

Short summary

The author discovered their API authentication consumed 946ms per request because they used bcrypt—a deliberately slow password-hashing function—on cryptographically random API keys, where the slowness provided no security benefit. By switching to HMAC-SHA256 with a server-side pepper and introducing local caching, they reduced auth overhead from 946ms to single-digit milliseconds. The core insight: security practices must match the actual threat model, not blindly follow conventions.

• •Bcrypt's slowness (100ms per comparison) was designed for passwords, not unbreakable random API keys
• •HMAC-SHA256 + pepper + caching reduces auth latency from 946ms to <5ms
• •Security decisions should match actual threat models, not copy industry defaults

Generated with AI, which can make mistakes.