API Keys for Your Customers.
Without Writing the Plumbing.
Full lifecycle API key management as a microservice. Create, scope, rotate, and revoke keys for your B2B customers — with built-in per-key rate limiting, usage tracking, audit logging, and a self-service developer portal API. All the infrastructure your developer platform needs, ready on day one.
Every B2B Team Rebuilds This
API key management sounds simple until you need rotation, scoping, and rate limiting. Here's what teams deal with — and what we eliminate.
✗ Without API Keys Service
- ✗Rolling custom HMAC key generation and storage per project
- ✗No usage visibility — can't tell which key is being abused
- ✗Rate limiting is bolted on with a separate Redis library
- ✗Key rotation requires downtime or complex migration scripts
- ✗No audit trail of which key made which API call
✓ With API Keys Service
- Cryptographically secure key generation, bcrypt-hashed at rest
- Per-key usage dashboards with last-used, error rate, and call counts
- Built-in per-key rate limiting via Redis token buckets
- Zero-downtime key rotation with a safe overlap window
- Every key event auto-recorded in the Audit-Log service
What's Included
Production-grade API key infrastructure — every feature your developer platform needs.
Full Key Lifecycle Management
Create, scope, rotate, and revoke API keys through a single gRPC API. Keys are hashed at rest using bcrypt — only the prefix is stored in plaintext for identification. Zero plaintext key storage.
Fine-Grained Scoping
Each key is issued with an explicit permission scope — read:invoices, write:submissions, admin:users. Scopes integrate directly with the Authz service so every request is permission-checked at the wire level.
Per-Key Usage Tracking
Every API call made with a key is metered and recorded. View request counts, last-used timestamps, and error rates per key. Feed data directly into Entitlements for usage-based billing.
Rate Limiting Per Key
Apply token-bucket or sliding-window rate limits on a per-key basis using Redis. Different keys can have different limits — free tier keys get 100 req/min, enterprise keys get unlimited.
Developer Portal APIs
Expose a self-service developer portal to your customers. Provide APIs for key listing, creation, rotation, and webhook registration. Build your own UI on top, or use the included React components.
Audit Log Integration
Every key action — creation, rotation, revocation, and failed authentication attempts — is automatically emitted to the Audit-Log service. Full traceability of who used which key and when.
Built for Real Developer Platforms
B2B SaaS Developer APIs
Your enterprise customers need programmatic access. Issue them scoped API keys through a self-service portal. They rotate their own keys, you audit everything.
Internal Service Authentication
Replace static secrets in your microservice mesh with rotatable, auditable API keys. Each service gets its own key with exactly the scopes it needs.
Webhook Signing & Validation
Generate HMAC signing keys for outbound webhooks. Customers use their key to verify payloads. Integrate with the Notifications service for signed delivery.