API Key Management

API key management encompasses the full lifecycle of API keys: generation, secure storage, distribution, usage monitoring, rotation, and revocation. Well-managed API keys are generated with sufficient entropy (at least 256 bits), prefixed with identifiers that indicate the environment and key type (e.g., sk_live_, pk_test_), and stored hashed (never in plaintext) in the database. The full key is shown to the user only once at creation time.

Key scoping is essential for following the principle of least privilege. Each API key should be associated with specific permissions (read-only, write, admin) and optionally restricted by IP allowlist, referrer domain, or resource scope. Usage monitoring tracks request volume, error rates, and last-used timestamps per key, enabling detection of compromised or abandoned keys.

Rotation is the most operationally critical aspect. The system should support issuing a new key before revoking the old one, with a configurable overlap period during which both keys are valid. This allows consumers to update their configuration without downtime. Automated rotation (e.g., every 90 days) with advance notification via email or webhook is the gold standard. Revoked keys should return 401 immediately, and the revocation event should be logged for audit purposes.