Fine-grained permissions for API keys – any best practices, great examples, etc?

3 points by coopr ↗ HN
Can you offer, or point to, any advice on providing fine-grained permissions for API keys? Any great example implementations you've seen? Any docs or best practices I should look at?

(I'm not interested in the technical implementation - I'm more interested in the UI, the documentation, etc)

By "fine grained permissions for API keys", I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins would need to see what keys were created by whom, what permissions those keys have, usage on a per-key basis, do key regeneration, etc.

3 comments

[ 5.1 ms ] story [ 18.7 ms ] thread
I am unsure if any such pre-built solutions exist but, we have created something similar for our app.

A user can setup an unlimited number of different API Keys for their account. For each API Key, we allow them to specify:

- Name/Description: For internal reference

- High Level Permissions:

Admin: (access to make any account updates).

Read-Only: (provide read-only access to the data).

Write Only: (allows for read & write operations).

- Low Level Permissions:

Access to various end-points that can be turned on/off.

- Throttling Options

Allow the user to specify Max Read Requests p/second and max write requests p/second

Very nice, thanks @amarcus - do you have any public-facing documentation I could review?