TsgcWSAPIKeyManager › Properties › Hashing
At-rest hash algorithm (SHA-256, SHA-512 or Bcrypt) with optional Salt and Iterations for key stretching.
property Hashing: TsgcAPIKeyHashing read FHashing write SetHashing;—
Plaintext keys are never persisted. IssueKey hashes the generated key using Algorithm (khaSHA256, khaSHA512 or khaBcrypt) with the static Salt mixed in and Iterations rounds applied, then stores only the digest. ValidateKey re-hashes the incoming value and performs a constant-time comparison. SHA-256 is the sensible default; SHA-512 fits higher-security (FIPS 140-2 Level 3) profiles; Bcrypt adds deliberate key-stretching so an offline brute-force against a leaked key store is dramatically harder. Changing the Salt invalidates every existing key, so settle on it before going live.
// SHA-512 with a static salt and 10k iterations for key stretching
sgcWSAPIKeyManager1.Hashing.Algorithm := khaSHA512;
sgcWSAPIKeyManager1.Hashing.Salt := 'my-salt';
sgcWSAPIKeyManager1.Hashing.Iterations := 10000;