← Lessons

quiz vs the machine

Gold1450

System Design

The API Key Management System

Issuing, storing, and revoking long lived credentials for machine clients.

5 min read · core · beat Gold to climb

Keys for machines

An API key is a long lived credential a program presents to call your service. Unlike a user session, it belongs to a machine client and often lives for months, so its management needs care.

Generate, show once, store hashed

When a key is created the system shows the full secret once and never again. It stores only a hash of the key, just like a password. On each call it hashes the presented key and compares, so a database leak does not expose usable keys.

A short non secret prefix is kept in clear so a key can be identified in logs and dashboards without revealing the secret.

Lifecycle controls

  • Scopes limit what each key may do.
  • Expiry forces periodic renewal.
  • Revocation instantly disables a leaked key.
  • Last used tracking helps spot stale or compromised keys.

Rotation support

The system should allow two active keys at once so a client can roll to a new key before retiring the old one, avoiding downtime.

Key idea

An API key system shows the secret once, stores only a hash with a prefix, and supports scopes expiry and revocation so machine credentials stay controllable.

Check yourself

Answer to earn rating on the learn ladder.

1. Why does the system store only a hash of an API key?

2. What is the non secret prefix used for?

3. Allowing two active keys at once supports