Ask HN: How do you handle API-key generation/management for your SaaS?

2 points by runeks ↗ HN
I need to implement API-key generation and management for a multi-tenant SaaS.

How have you implemented this for your SaaS?

The API-key system I'm designing needs to support:

* Instant revocation * Different application access levels (e.g. "read-only" and "read+write") * "Read+write" API keys should be able to generate new API keys and revoke old ones (a "read-only" API key must not be able to do this)

Notes:

* I already use Keycloak for user+password logins

5 comments

[ 0.23 ms ] story [ 18.8 ms ] thread
A custom relational table plus custom code.
It depends on the tech stack you are currently using for your SaaS. I would not develop this from scratch. For example: If you are using Laravel for the backend, you can develop this feature "easily" using Laravel Passport (https://laravel.com/docs/8.x/passport)

If you are using Keycloak, the solution might be in this post: https://stackoverflow.com/questions/52230634/issuing-api-key...

Thank you.

I'm super familiar with the backend, but I know it's written in Node.js and that the current authentication solution uses express and passport with a custom table in the Postgres database.

That should have read “I'm not super familiar with the backend”.