Any issues about using NEWID() for API key?

Question

I am working on a small piece that will generate an API Key using SQL Sever's NEWID(). The key will be used to access certain parts of our web app and will be passed in through a URL. The key is generated when a new API consumer is created (in a Stored Proc). The key is unique for each consumer. While the initial number of consumers is expected to be relatively low, it will grow over time but with a relatively low frequency.

Some of the constraints are:

• Key has to be generated at Insert level
• Must be unique for each consumer
• Performance, as always, is important

Are there any issues with this approach - security, performance or other? Is there a better way to achieve the same result?

Answer 1

There should be no problems with this. NEWID() generates a GUID which is guaranteed to be unique on your system.

You should not use NEWSEQUENTIALID() as it can be easily guessable, as noted here, but no warning is given in the documentation of NEWID() so I would assume it does not have the same problem. This means there should not be a security issue.

As for performance, initial generation of a key may take longer than some other methods, but the guaranteed uniqueness makes up for it. Lookups should also be quick if you index the column.

Answer 2

I've done this without any issues. INSERT is a relatively expensive operation, the overhead of NEWID() is comparatively trivial.