This has nothing to do with Kotlin, but I ask because it has everything to do with servers. When saving API keys to the server database, is it "good enough" to save an RSA signature as the "hash". Or is your only secure method to use a sufficiently advanced set of salting and hashing algorithms? I find it much easier to delegate all my encryption woes to Amazon KMS, rather than worry about calculating ideal hashing settings. But I don't know if this would be a proper use-case 😕 .

I never save the API key itself, only a KMS-signed hash. The key is downloaded/presented to the user/requesting system once along with an ID. Essentially the key is a JWT signed by KMS and delivered only once. You then only need to keep the KMS signature ARN in your DB so that, as you rotate KMS signing keys, you can still validate older API keys. The JWT can then contain an expiration, etc, etc as needed