Harden store of user application key
For now, we store the user application key in clear in the database. This is not a real problem because such key give access to the data of the database that are already accessible if someone can read this table.
But it may be good to harden this storage so a database backup can not be used to get those keys.
The idea will be to hash (which hmac) the stored key with a secret key (from configuration) to get the real user application key. This way it will requires to have both keys to be able to use it.