API - Key encryption

Need some security advice… I work for company who is hosting their software on Prem… We are building an ASP.Net Core API and I will be utilizing security with API Keys that we will authenticate and return JWT tokens. My question is should we utilize a secure key vault storage like Hashicorp Vault or use something like Azure Key Vault to store an encrypted API Key or do you think if we are only storing (as of now ) a single client’s API key that just storing it encrypted or maybe as a hash of some sort in our database or a file (like an encrypted .env) on a local server would suffice?


In my past company we used to keep JWT token in plain format in the browser’s local storage.
I think HashiCorp Vault would be best solution.

I will have to see if the overhead and expenses for HashiCorp Vault are warranted for storing this single key… I have developing some code in .Net that seems like it would be hard to break storing the key as a SHA512 hash using a 256-bit key + 256-bit salt… I know I wouldnt want to be handling lots of various keys and accounts though doing this. But wondering for a single key or few keys if this would be ok to store locally on a server used for auth?

We have an API that will be used by third parties, but I prefer to use JWTs as it will scale better as we have more users and there will be a single point of authentication vs having to pass api keys with each request which I feel is less secure.

Are you planning to use https://www.vaultproject.io/docs/auth/jwt ?

Looking to probably use ASP.Net Identity on a local server for the time being, but open to using a service like Hashicorp Vault, esp as we may plan to scale out user based security… For the time being we are starting with single client with a web server app , so nobody will be directly connecting to our API… Our security needs are minimal now, but can grow as we upgrade the security plan.