Ask HN: How do you handle API-key generation/management for your SaaS?
I need to implement API-key generation and management for a multi-tenant SaaS.
How have you implemented this for your SaaS?
The API-key system I'm designing needs to support:
* Instant revocation * Different application access levels (e.g. "read-only" and "read+write") * "Read+write" API keys should be able to generate new API keys and revoke old ones (a "read-only" API key must not be able to do this)
Notes:
* I already use Keycloak for user+password logins
5 comments
[ 0.23 ms ] story [ 18.8 ms ] threadIf you are using Keycloak, the solution might be in this post: https://stackoverflow.com/questions/52230634/issuing-api-key...
I'm super familiar with the backend, but I know it's written in Node.js and that the current authentication solution uses express and passport with a custom table in the Postgres database.