Store only hashed key
I just see on discourse 2.4.0.beta9 [1] that they store only hash and 4 chars of the key in the database.
I think we could do the same for session keys (user and web_user) and user applications. This will increase the security in case of database leak as such key could not be used.
[1] https://meta.discourse.org/t/discourse-2-4-0-beta9-release-notes/136517