API Keys

Hashed API keys authenticated via the X-Api-Key header.

API keys let non-interactive clients authenticate without a session. They are handled by the APIKey class in lib/apiKey.ts.

How It Works

MethodBehavior
APIKey.hash(secret)Produces the stored SHA-1 hash. The raw secret is never stored.
APIKey.resolve(secret)Looks up a key by its hashed secret and bumps accessCount / lastAccessAt.

Clients authenticate by sending the secret in the X-Api-Key header. withAuthSession checks this as one of its three credential strategies.

Management Route

routes/apiKeys.ts exposes CRUD isolated to the creator:

  • The hashed secret is excluded from responses.
  • The secret is auto-hashed on input.

See schemas/apiKey.ts for the exact fields. Like OAuth consents, API keys can carry a per-tenant resourceGrant to narrow their scopes per tenant.

On this page

How It Works
Management Route