diff --git a/packages/models-library/src/models_library/rpc/webserver/auth/api_keys.py b/packages/models-library/src/models_library/rpc/webserver/auth/api_keys.py
index 3b0da5ed78cd..a3f5d22cffd5 100644
--- a/packages/models-library/src/models_library/rpc/webserver/auth/api_keys.py
+++ b/packages/models-library/src/models_library/rpc/webserver/auth/api_keys.py
@@ -16,13 +16,23 @@
 _SECRET_LEN: Final = 20
 
 
+# Application-wide pepper/salt for PBKDF2 (should ideally be kept secret and configurable)
+_API_KEY_PEPPER: Final = b"models-library-api-key-pepper-CHANGE_ME"
+_API_KEY_HASH_ITERATIONS: Final = 100_000
+
 def generate_api_key_prefix(name: str) -> str:
     return _PUNCTUATION_REGEX.sub("_", name[:5])
 
 
 def generate_unique_api_key(name: str, length: int = _KEY_LEN) -> str:
     prefix = generate_api_key_prefix(name)
-    hashed = hashlib.sha256(name.encode()).hexdigest()
+    # Use PBKDF2-HMAC-SHA256 with an application-wide pepper (salt) and high iteration count
+    hashed = hashlib.pbkdf2_hmac(
+        "sha256", 
+        name.encode(), 
+        _API_KEY_PEPPER, 
+        _API_KEY_HASH_ITERATIONS,
+    ).hex()
     return f"{prefix}_{hashed[:length]}"