You can't safely use SHA256 in that construction. The hash is simply the value of the SHA256 internal state after the last block. An attacker can take that hash and resume "hashing" from that point, adding additional data to the original data.
That attack is called "length extension", and it's the reason we have the HMAC construction. Here, I think you want the HMAC-SHA256 of the filter and user ID, with the API key as the HMAC key.
You can't safely use SHA256 in that construction. The hash is simply the value of the SHA256 internal state after the last block. An attacker can take that hash and resume "hashing" from that point, adding additional data to the original data.
That attack is called "length extension", and it's the reason we have the HMAC construction. Here, I think you want the HMAC-SHA256 of the filter and user ID, with the API key as the HMAC key.