[ [0x70] Features ] API Keys

API Keys

> Secure API key generation with SHA-256 hashing, timing-safe comparison, and rate limiting.

Overview

[ [0x70] STATUS ]

The API keys system provides secure programmatic access to your application's API. Keys are generated with cryptographic randomness, stored as hashes, and validated using timing-safe comparison to prevent timing attacks.

Features

[ [0x01] 256_BIT_KEYS ]

STATUS: READY

DESC: Cryptographically secure random generation for maximum security.

[ [0x02] SHA_256_HASH ]

STATUS: READY

DESC: Only hashes stored in database - raw keys never persisted.

[ [0x03] TIMING_SAFE_ ]

STATUS: READY

DESC: Prevents timing attacks with constant-time comparison.

[ [0x04] RATE_LIMITIN ]

STATUS: READY

DESC: Protect against abuse with configurable rate limits per tier.

Usage

[ [0xE6] DATABASE SCHEMA ]

API key model in Prisma schema

1// prisma/schema.prisma
2model ApiKey {
3  id          String    @id @default(cuid())
4  userId      String
5  user        User      @relation(fields: [userId], references: [id], onDelete: Cascade)
6
7  name        String    // User-friendly name
8  keyHash     String    @unique // SHA-256 hash
9  keyPrefix   String    // First 8 chars for identification (e.g., "fk_live_")
10
11  scopes      String[]  // ["read:users", "write:data"]
12
13  lastUsedAt  DateTime?
14  expiresAt   DateTime?
15  revokedAt   DateTime?
16
17  createdAt   DateTime  @default(now())
18
19  @@index([keyHash])
20  @@index([userId])
21}

[ [0x67] KEY GENERATION ]

Securely generate and hash API keys

1// src/lib/api-keys.ts
2import crypto from "crypto";
3import { prisma } from "@/lib/db";
4
5interface CreateApiKeyInput {
6  userId: string;
7  name: string;
8  scopes: string[];
9  expiresAt?: Date;
10}
11
12export async function createApiKey(input: CreateApiKeyInput) {
13  // Generate 256-bit random key
14  const rawKey = crypto.randomBytes(32).toString("base64url");
15
16  // Create key with prefix for easy identification
17  const prefix = "fk_live_";
18  const fullKey = prefix + rawKey;
19
20  // Hash the key for storage
21  const keyHash = crypto
22    .createHash("sha256")
23    .update(fullKey)
24    .digest("hex");
25
26  // Store in database
27  const apiKey = await prisma.apiKey.create({
28    data: {
29      userId: input.userId,
30      name: input.name,
31      keyHash,
32      keyPrefix: prefix,
33      scopes: input.scopes,
34      expiresAt: input.expiresAt,
35    },
36  });
37
38  // Return the full key ONCE (never stored or retrievable)
39  return {
40    id: apiKey.id,
41    key: fullKey, // Show to user once
42    name: apiKey.name,
43    scopes: apiKey.scopes,
44    createdAt: apiKey.createdAt,
45  };
46}
47
48// Available scopes
49export const API_SCOPES = [
50  "read:profile",
51  "write:profile",
52  "read:organizations",
53  "write:organizations",
54  "read:billing",
55  "manage:billing",
56  "admin",
57] as const;

[ [0x06] KEY VALIDATION ]

Validate API keys with timing-safe comparison

1// src/lib/api-keys.ts
2import crypto from "crypto";
3
4export async function validateApiKey(key: string) {
5  // Hash the provided key
6  const keyHash = crypto
7    .createHash("sha256")
8    .update(key)
9    .digest("hex");
10
11  // Find key by hash
12  const apiKey = await prisma.apiKey.findUnique({
13    where: { keyHash },
14    include: { user: true },
15  });
16
17  if (!apiKey) {
18    return { valid: false, error: "Invalid API key" };
19  }
20
21  // Check if revoked
22  if (apiKey.revokedAt) {
23    return { valid: false, error: "API key has been revoked" };
24  }
25
26  // Check expiration
27  if (apiKey.expiresAt && apiKey.expiresAt < new Date()) {
28    return { valid: false, error: "API key has expired" };
29  }
30
31  // Update last used timestamp
32  await prisma.apiKey.update({
33    where: { id: apiKey.id },
34    data: { lastUsedAt: new Date() },
35  });
36
37  return {
38    valid: true,
39    userId: apiKey.userId,
40    scopes: apiKey.scopes,
41    user: apiKey.user,
42  };
43}
44
45// Middleware for API routes
46export async function withApiKey(
47  req: Request,
48  requiredScopes: string[] = []
49) {
50  const authHeader = req.headers.get("Authorization");
51
52  if (!authHeader?.startsWith("Bearer ")) {
53    return { error: "Missing API key", status: 401 };
54  }
55
56  const key = authHeader.slice(7);
57  const result = await validateApiKey(key);
58
59  if (!result.valid) {
60    return { error: result.error, status: 401 };
61  }
62
63  // Check scopes
64  if (requiredScopes.length > 0) {
65    const hasScope = requiredScopes.every(
66      (scope) => result.scopes.includes(scope) || result.scopes.includes("admin")
67    );
68
69    if (!hasScope) {
70      return { error: "Insufficient permissions", status: 403 };
71    }
72  }
73
74  return { user: result.user, scopes: result.scopes };
75}

[ [0x65] USING API KEYS IN ROUTES ]

Protect your API routes with API key authentication

1// src/app/api/v1/data/route.ts
2import { withApiKey } from "@/lib/api-keys";
3
4export async function GET(req: Request) {
5  // Validate API key with required scopes
6  const auth = await withApiKey(req, ["read:data"]);
7
8  if ("error" in auth) {
9    return Response.json(
10      { error: auth.error },
11      { status: auth.status }
12    );
13  }
14
15  // auth.user is available
16  const data = await prisma.data.findMany({
17    where: { userId: auth.user.id },
18  });
19
20  return Response.json({ data });
21}
22
23export async function POST(req: Request) {
24  // Require write scope
25  const auth = await withApiKey(req, ["write:data"]);
26
27  if ("error" in auth) {
28    return Response.json(
29      { error: auth.error },
30      { status: auth.status }
31    );
32  }
33
34  const body = await req.json();
35
36  const data = await prisma.data.create({
37    data: {
38      ...body,
39      userId: auth.user.id,
40    },
41  });
42
43  return Response.json({ data });
44}

[ [0x87] RATE LIMITING ]

Implement rate limiting per API key

1// src/lib/rate-limit.ts
2import { Redis } from "@upstash/redis";
3
4const redis = new Redis({
5  url: process.env.UPSTASH_REDIS_URL!,
6  token: process.env.UPSTASH_REDIS_TOKEN!,
7});
8
9interface RateLimitConfig {
10  maxRequests: number;
11  windowMs: number;
12}
13
14const RATE_LIMITS: Record<string, RateLimitConfig> = {
15  default: { maxRequests: 100, windowMs: 60000 },    // 100/min
16  premium: { maxRequests: 1000, windowMs: 60000 },   // 1000/min
17  enterprise: { maxRequests: 10000, windowMs: 60000 }, // 10000/min
18};
19
20export async function checkRateLimit(
21  identifier: string,
22  tier: string = "default"
23) {
24  const config = RATE_LIMITS[tier] || RATE_LIMITS.default;
25  const key = `rate_limit:${identifier}`;
26
27  const current = await redis.incr(key);
28
29  if (current === 1) {
30    await redis.pexpire(key, config.windowMs);
31  }
32
33  const remaining = Math.max(0, config.maxRequests - current);
34  const reset = await redis.pttl(key);
35
36  return {
37    allowed: current <= config.maxRequests,
38    remaining,
39    reset: Date.now() + reset,
40    limit: config.maxRequests,
41  };
42}
43
44// Usage in API route
45export async function GET(req: Request) {
46  const auth = await withApiKey(req);
47  if ("error" in auth) {
48    return Response.json({ error: auth.error }, { status: auth.status });
49  }
50
51  const rateLimit = await checkRateLimit(auth.user.id, auth.user.plan);
52
53  if (!rateLimit.allowed) {
54    return Response.json(
55      { error: "Rate limit exceeded" },
56      {
57        status: 429,
58        headers: {
59          "X-RateLimit-Limit": rateLimit.limit.toString(),
60          "X-RateLimit-Remaining": "0",
61          "X-RateLimit-Reset": rateLimit.reset.toString(),
62          "Retry-After": Math.ceil((rateLimit.reset - Date.now()) / 1000).toString(),
63        },
64      }
65    );
66  }
67
68  // Process request...
69}

Security Best Practices

[ [0x1C] SECURITY BEST PRACTICES ]

├─ Never log full keys: Only log the prefix for debugging
├─ Show key once: Display the full key only at creation time
├─ Use HTTPS only: Never transmit keys over HTTP
├─ Implement expiration: Set reasonable expiration dates
├─ Allow revocation: Users should be able to revoke keys instantly
├─ Track usage: Log last used timestamps and access patterns
├─ Scope permissions: Follow principle of least privilege
└─ Rate limit aggressively: Protect against brute force and abuse

Features

[ [0x01] 256_BIT_KEYS ]

STATUS: READY

DESC: Cryptographically secure random generation for maximum security.

[ [0x02] SHA_256_HASH ]

STATUS: READY

DESC: Only hashes stored in database - raw keys never persisted.

[ [0x03] TIMING_SAFE_ ]

STATUS: READY

DESC: Prevents timing attacks with constant-time comparison.

[ [0x04] RATE_LIMITIN ]

STATUS: READY

DESC: Protect against abuse with configurable rate limits per tier.

Usage

[ [0xE6] DATABASE SCHEMA ]

API key model in Prisma schema

1// prisma/schema.prisma
2model ApiKey {
3  id          String    @id @default(cuid())
4  userId      String
5  user        User      @relation(fields: [userId], references: [id], onDelete: Cascade)
6
7  name        String    // User-friendly name
8  keyHash     String    @unique // SHA-256 hash
9  keyPrefix   String    // First 8 chars for identification (e.g., "fk_live_")
10
11  scopes      String[]  // ["read:users", "write:data"]
12
13  lastUsedAt  DateTime?
14  expiresAt   DateTime?
15  revokedAt   DateTime?
16
17  createdAt   DateTime  @default(now())
18
19  @@index([keyHash])
20  @@index([userId])
21}

[ [0x67] KEY GENERATION ]

Securely generate and hash API keys

1// src/lib/api-keys.ts
2import crypto from "crypto";
3import { prisma } from "@/lib/db";
4
5interface CreateApiKeyInput {
6  userId: string;
7  name: string;
8  scopes: string[];
9  expiresAt?: Date;
10}
11
12export async function createApiKey(input: CreateApiKeyInput) {
13  // Generate 256-bit random key
14  const rawKey = crypto.randomBytes(32).toString("base64url");
15
16  // Create key with prefix for easy identification
17  const prefix = "fk_live_";
18  const fullKey = prefix + rawKey;
19
20  // Hash the key for storage
21  const keyHash = crypto
22    .createHash("sha256")
23    .update(fullKey)
24    .digest("hex");
25
26  // Store in database
27  const apiKey = await prisma.apiKey.create({
28    data: {
29      userId: input.userId,
30      name: input.name,
31      keyHash,
32      keyPrefix: prefix,
33      scopes: input.scopes,
34      expiresAt: input.expiresAt,
35    },
36  });
37
38  // Return the full key ONCE (never stored or retrievable)
39  return {
40    id: apiKey.id,
41    key: fullKey, // Show to user once
42    name: apiKey.name,
43    scopes: apiKey.scopes,
44    createdAt: apiKey.createdAt,
45  };
46}
47
48// Available scopes
49export const API_SCOPES = [
50  "read:profile",
51  "write:profile",
52  "read:organizations",
53  "write:organizations",
54  "read:billing",
55  "manage:billing",
56  "admin",
57] as const;

[ [0x06] KEY VALIDATION ]

Validate API keys with timing-safe comparison

1// src/lib/api-keys.ts
2import crypto from "crypto";
3
4export async function validateApiKey(key: string) {
5  // Hash the provided key
6  const keyHash = crypto
7    .createHash("sha256")
8    .update(key)
9    .digest("hex");
10
11  // Find key by hash
12  const apiKey = await prisma.apiKey.findUnique({
13    where: { keyHash },
14    include: { user: true },
15  });
16
17  if (!apiKey) {
18    return { valid: false, error: "Invalid API key" };
19  }
20
21  // Check if revoked
22  if (apiKey.revokedAt) {
23    return { valid: false, error: "API key has been revoked" };
24  }
25
26  // Check expiration
27  if (apiKey.expiresAt && apiKey.expiresAt < new Date()) {
28    return { valid: false, error: "API key has expired" };
29  }
30
31  // Update last used timestamp
32  await prisma.apiKey.update({
33    where: { id: apiKey.id },
34    data: { lastUsedAt: new Date() },
35  });
36
37  return {
38    valid: true,
39    userId: apiKey.userId,
40    scopes: apiKey.scopes,
41    user: apiKey.user,
42  };
43}
44
45// Middleware for API routes
46export async function withApiKey(
47  req: Request,
48  requiredScopes: string[] = []
49) {
50  const authHeader = req.headers.get("Authorization");
51
52  if (!authHeader?.startsWith("Bearer ")) {
53    return { error: "Missing API key", status: 401 };
54  }
55
56  const key = authHeader.slice(7);
57  const result = await validateApiKey(key);
58
59  if (!result.valid) {
60    return { error: result.error, status: 401 };
61  }
62
63  // Check scopes
64  if (requiredScopes.length > 0) {
65    const hasScope = requiredScopes.every(
66      (scope) => result.scopes.includes(scope) || result.scopes.includes("admin")
67    );
68
69    if (!hasScope) {
70      return { error: "Insufficient permissions", status: 403 };
71    }
72  }
73
74  return { user: result.user, scopes: result.scopes };
75}

[ [0x65] USING API KEYS IN ROUTES ]

Protect your API routes with API key authentication

1// src/app/api/v1/data/route.ts
2import { withApiKey } from "@/lib/api-keys";
3
4export async function GET(req: Request) {
5  // Validate API key with required scopes
6  const auth = await withApiKey(req, ["read:data"]);
7
8  if ("error" in auth) {
9    return Response.json(
10      { error: auth.error },
11      { status: auth.status }
12    );
13  }
14
15  // auth.user is available
16  const data = await prisma.data.findMany({
17    where: { userId: auth.user.id },
18  });
19
20  return Response.json({ data });
21}
22
23export async function POST(req: Request) {
24  // Require write scope
25  const auth = await withApiKey(req, ["write:data"]);
26
27  if ("error" in auth) {
28    return Response.json(
29      { error: auth.error },
30      { status: auth.status }
31    );
32  }
33
34  const body = await req.json();
35
36  const data = await prisma.data.create({
37    data: {
38      ...body,
39      userId: auth.user.id,
40    },
41  });
42
43  return Response.json({ data });
44}

[ [0x87] RATE LIMITING ]

Implement rate limiting per API key

1// src/lib/rate-limit.ts
2import { Redis } from "@upstash/redis";
3
4const redis = new Redis({
5  url: process.env.UPSTASH_REDIS_URL!,
6  token: process.env.UPSTASH_REDIS_TOKEN!,
7});
8
9interface RateLimitConfig {
10  maxRequests: number;
11  windowMs: number;
12}
13
14const RATE_LIMITS: Record<string, RateLimitConfig> = {
15  default: { maxRequests: 100, windowMs: 60000 },    // 100/min
16  premium: { maxRequests: 1000, windowMs: 60000 },   // 1000/min
17  enterprise: { maxRequests: 10000, windowMs: 60000 }, // 10000/min
18};
19
20export async function checkRateLimit(
21  identifier: string,
22  tier: string = "default"
23) {
24  const config = RATE_LIMITS[tier] || RATE_LIMITS.default;
25  const key = `rate_limit:${identifier}`;
26
27  const current = await redis.incr(key);
28
29  if (current === 1) {
30    await redis.pexpire(key, config.windowMs);
31  }
32
33  const remaining = Math.max(0, config.maxRequests - current);
34  const reset = await redis.pttl(key);
35
36  return {
37    allowed: current <= config.maxRequests,
38    remaining,
39    reset: Date.now() + reset,
40    limit: config.maxRequests,
41  };
42}
43
44// Usage in API route
45export async function GET(req: Request) {
46  const auth = await withApiKey(req);
47  if ("error" in auth) {
48    return Response.json({ error: auth.error }, { status: auth.status });
49  }
50
51  const rateLimit = await checkRateLimit(auth.user.id, auth.user.plan);
52
53  if (!rateLimit.allowed) {
54    return Response.json(
55      { error: "Rate limit exceeded" },
56      {
57        status: 429,
58        headers: {
59          "X-RateLimit-Limit": rateLimit.limit.toString(),
60          "X-RateLimit-Remaining": "0",
61          "X-RateLimit-Reset": rateLimit.reset.toString(),
62          "Retry-After": Math.ceil((rateLimit.reset - Date.now()) / 1000).toString(),
63        },
64      }
65    );
66  }
67
68  // Process request...
69}

Security Best Practices

[ [0x1C] SECURITY BEST PRACTICES ]

├─ Never log full keys: Only log the prefix for debugging
├─ Show key once: Display the full key only at creation time
├─ Use HTTPS only: Never transmit keys over HTTP
├─ Implement expiration: Set reasonable expiration dates
├─ Allow revocation: Users should be able to revoke keys instantly
├─ Track usage: Log last used timestamps and access patterns
├─ Scope permissions: Follow principle of least privilege
└─ Rate limit aggressively: Protect against brute force and abuse