API Key Configuration

Issue and manage secure, hashed API keys for external developer access.

The starter ecosystem supports multi-organization API keys out of the box, with built-in Role-Based Access Control (RBAC).

API Key Security

Secure, granular, hashed API keys (sk_live_...) are attached to specific Workspaces/Teams for external developer access.

• Prefix: All keys start with sk_live_ (secret key) or pk_live_ (public key).
• Hashing: Keys are stored as SHA-256 hashes in the database.
• Revocability: Keys can be revoked or deleted at any time by a team owner.

Generating API Keys

Users can generate API keys directly from their dashboard under the Settings > API Keys section.

1. Select Team: Choose the team for which you want to generate a key.
2. Name the Key: Give it a descriptive name for identification.
3. Save and Copy: Once generated, copy the key and store it securely.

API Key Middleware

The API server uses a custom middleware to verify API keys in the Authorization header.

// apps/api/src/middleware/auth.ts
import { verifyApiKey } from "./auth";

// In your routes:
router.get("/v1/data", verifyApiKey, async (req, res) => {
  // Access data with a valid API key
});

Authentication via Header

When making requests to the API from an external application, include the API key in the Authorization header:

curl -X GET "https://api.yourdomain.com/v1/data" \
     -H "Authorization: Bearer sk_live_your_api_key"

Granular Access Control

API keys are associated with a specific team and have a role assigned to them, allowing for granular access control.

• Read-Only: Access to read data only.
• Write: Access to create and update data.
• Admin: Full access to all team settings and resources.

API Documentation

For more information on the API endpoints and how to use them, refer to the API Documentation.