API keys are easy to add and easy to misuse.
A good API key system is not just a random string in a database. It needs key ownership, safe storage, rotation, scopes, rate limits, audit logs, and clear failure behavior.
Quick answer
For backend APIs, a practical API key design should:
- Generate high-entropy keys.
- Show the full key only once.
- Store only a hash of the secret portion.
- Include a visible prefix for identification.
- Attach each key to an owner, project, environment, and purpose.
- Support scopes, rate limits, expiration, revocation, and rotation.
- Redact keys from logs.
API keys are best for project-level, integration-level, or service-level access. For delegated user access, compare them with OAuth tokens first.
Read API Key vs OAuth Token for that decision.
API key format
An API key should be easy for systems to identify but hard for attackers to guess.
A common format is:
bsl_live_abc123...secret...
The prefix can encode non-secret metadata:
- Product or issuer.
- Environment such as test or live.
- Key type.
- Public key identifier.
The secret portion should be random and long enough to resist guessing.
Do not put sensitive user data, tenant names, plan names, or permissions directly into the visible key string.
Store keys safely
Treat API keys like passwords.
When a user creates a key, show the full key once. After that, store a hash of the secret value rather than the raw key where possible.
At request time:
1. Parse the visible key prefix or identifier.
2. Find the candidate key record.
3. Hash the submitted secret portion.
4. Compare with the stored hash.
5. Check status, scopes, owner, environment, and limits.
This design reduces damage if the database leaks. Attackers should not get raw usable API keys from the key table.
Read Password Hashing Explained for the broader idea behind one-way storage.
Ownership and scopes
Every API key should have an owner.
That owner might be:
- A user.
- An organization.
- A project.
- A service account.
- A partner integration.
Avoid orphaned keys. If no one knows who owns a key or why it exists, revocation becomes risky and incident response becomes slow.
Scopes keep keys narrower:
| Scope style | Example |
|---|---|
| Product area | billing:read, billing:write |
| Resource type | projects:read, projects:update |
| Environment | test-only or live-only keys |
| Operation risk | read-only vs write-capable |
Scopes are not a complete authorization system, but they reduce blast radius.
Read RBAC vs ABAC for broader access-control modeling.
Rotation and expiration
API keys often become long-lived. That makes rotation support important.
Good rotation UX lets users:
- Create a new key while the old key still works.
- Deploy the new key.
- Confirm traffic is using the new key.
- Revoke the old key.
Optional expiration can help for temporary integrations, local testing keys, or high-risk keys.
Do not force all keys to expire without a migration path. Sudden expiration can break integrations and encourage unsafe workarounds.
Rate limits and abuse controls
API keys should connect naturally to rate limits.
A backend can limit by:
- Key.
- Account.
- IP address.
- Route.
- API product.
- Environment.
If a key leaks, rate limits can reduce immediate damage. They also give operators signals that something is wrong.
Read Rate Limiting in APIs Explained for quota windows, token buckets, and response design.
Audit logs and observability
API key usage should be observable without exposing secrets.
Useful fields:
- Key ID or prefix.
- Owning account or project.
- Endpoint.
- Timestamp.
- Source IP or region.
- Result status.
- Request ID.
- User agent or client name.
Never log the full key. Redact Authorization, X-API-Key, query strings, and error contexts that might include credentials.
Use the HTTP Status Code Lookup when designing clear 401, 403, and 429 responses.
Common mistakes
The first mistake is storing raw API keys in plaintext.
The second mistake is putting API keys in browser JavaScript or mobile apps when the key is supposed to be secret.
The third mistake is creating one global key with broad production access.
The fourth mistake is not supporting rotation.
The fifth mistake is logging full keys in request logs, traces, or analytics.
The sixth mistake is treating scopes as enough authorization. Resource ownership, tenant boundaries, and business rules still matter.
Practical recommendation
Design API keys as an operational system:
- Use identifiable prefixes and strong random secrets.
- Store only hashed secrets.
- Show full keys only once.
- Require names and owners.
- Support scopes, rotation, revocation, and optional expiration.
- Attach rate limits and audit logs.
- Redact credentials everywhere.
- Test leaked-key and revoked-key behavior.
API keys are simple only at the surface. The backend lifecycle around them is where the security quality shows.
Related reading
Read API Authentication Best Practices for the broader protected API checklist and API Key vs OAuth Token before choosing API keys for delegated access. Read OAuth Scopes Explained, OAuth Client Credentials Flow Explained, Service Accounts Explained, and Least Privilege Explained for permission boundaries.
For operational safeguards, read Audit Logs Explained, Security Event Logging Explained, and Secret Management Explained. For API behavior, read API Abuse Prevention Explained, API Gateway Explained, Rate Limiting in APIs Explained, and REST API Error Handling Best Practices. For the full security sequence, browse the Authentication Learning Path, Backend Security Learning Path, and the Topics map.