API Key Overview
Production - ApiKeyController - 15 endpoints at /api/v1/api-keys
API keys provide long-lived authentication tokens for programmatic access to the MATIH platform. Unlike JWT tokens, API keys do not expire based on time alone and support scoped permissions, IP whitelisting, and rate limiting.
API Key Features
| Feature | Description |
|---|---|
| Scoped Permissions | Each key has a defined set of scopes (permissions) |
| IP Whitelisting | Restrict key usage to specific IP addresses or CIDR blocks |
| Rate Limiting | Per-key request rate limits |
| Key Rotation | Graceful rotation with configurable grace period |
| Key Types | user, service, integration |
| Test Mode | Separate test keys for development |
| Expiration | Optional expiration in days |
| Prefix Format | Keys start with mk_live_ or mk_test_ for identification |
Key Storage Security
API keys are never stored in plain text:
- The full key is only returned once at creation time
- A SHA-256 hash of the key is stored in the
key_hashcolumn - The first 8 characters are stored as
key_prefixfor display purposes
Section Pages
| Page | Description |
|---|---|
| Creating Keys | Key creation with scopes and configuration |
| Key Rotation | Automatic and manual rotation |
| Scopes & Limits | Scope definitions and rate limiting |
| IP Whitelisting | IP restriction management |