Gateway routes that proxy upstream APIs now use a dedicated API key authentication middleware.
The middleware accepts either of these request formats:
Authorization: Bearer <api_key>X-Api-Key: <api_key>If both are present, a valid bearer token is preferred. A malformed Authorization header returns 401.
For each gateway request, the middleware:
- Extracts the presented API key from
AuthorizationorX-Api-Key. - Derives the key prefix from the first 16 characters.
- Looks up candidate key records by prefix.
- Verifies the full key using a timing-safe hash comparison.
- Rejects revoked keys with
401 Unauthorized. - Resolves and attaches:
req.userreq.vaultreq.apireq.endpointreq.apiKeyRecordreq.apiKeyValue
Rate limiting and balance checks remain separate middleware or route concerns and run after authentication.
The middleware returns clear 401 responses for common auth failures:
Unauthorized: missing API keyUnauthorized: malformed Authorization headerUnauthorized: API key not foundUnauthorized: invalid API keyUnauthorized: API key has been revokedUnauthorized: API key does not grant access to this API
If the target API cannot be resolved, it returns:
404 Not Found: unknown API
The middleware is applied to the upstream proxy routes in:
src/routes/gatewayRoutes.tssrc/routes/proxyRoutes.ts
The route handlers then consume the attached request context instead of re-validating headers inline.
The database-backed middleware supports:
- prefix lookup from
api_keys.prefix - full-key hash verification against
api_keys.key_hash - revoked-key enforcement from
api_keys.revoked - eager loading of related
usersandvaults
To support revocation in environments that do not yet have the column, apply:
migrations/0005_add_api_key_revocation.sql