经过查，我发现了http://stackoverflow.com/questions/1448455/php-api-key-generator 其中我觉得如下方式不错. Base62(MD5-HMAC(key, Normalize(referer))). This works great if the API is only allowed from one site. Just check the HMAC of the normalized referer and you know if the key is valid, no database access. You need to keep the HMAC key secret to do this.

不过不知道在 rails 里如何实现 HMAC 加密。

另外，大家有什么好的加密方式？谢谢。