pub fn validate_api_key_multiple(provided: &str, expected_keys: &[&str]) -> boolExpand description
Validate an API key against multiple possible keys (constant-time)
This function checks if the provided key matches any of the expected keys, while maintaining constant-time properties. The total comparison time is proportional to the number of keys checked, not to which key matches or where mismatches occur.
§Security Note
While this maintains constant-time comparison for each individual key,
the total time is O(n) where n is the number of keys. This means:
- An attacker can determine approximately how many keys are stored
- But cannot determine which character positions are correct
- Cannot perform character-by-character guessing attacks
For systems with many API keys (>1000), consider using a pre-hashed lookup table to avoid the linear scan.
§Example
use turbomcp_auth::api_key_validation::validate_api_key_multiple;
let provided = "sk_live_key2";
let valid_keys = vec![
"sk_live_key1",
"sk_live_key2",
"sk_live_key3",
];
assert!(validate_api_key_multiple(provided, &valid_keys));