HACKER Q&A
📣 runeks

How do you handle API-key generation/management for your SaaS?


I need to implement API-key generation and management for a multi-tenant SaaS.

How have you implemented this for your SaaS?

The API-key system I'm designing needs to support:

* Instant revocation * Different application access levels (e.g. "read-only" and "read+write") * "Read+write" API keys should be able to generate new API keys and revoke old ones (a "read-only" API key must not be able to do this)

Notes:

* I already use Keycloak for user+password logins

  👤 martinopp Accepted Answer ✓
It depends on the tech stack you are currently using for your SaaS. I would not develop this from scratch. For example: If you are using Laravel for the backend, you can develop this feature "easily" using Laravel Passport (https://laravel.com/docs/8.x/passport)

If you are using Keycloak, the solution might be in this post: https://stackoverflow.com/questions/52230634/issuing-api-key...

👤 sdevonoes
A custom relational table plus custom code.