Skip to content

API Key Management #14

Description

@codebestia

Background

Merchants need to generate API keys to authenticate server-to-server integrations. Keys must be shown only once at generation time and stored only as a hash.

Proposed Steps

  1. Create POST /merchants/api-keys (protected) — generate a key in format sk_live_<32-char-random>, store prefix and sha256(key) hash, return the raw key once only
  2. Create GET /merchants/api-keys (protected) — list all non-revoked keys with prefix, label, lastUsedAt, createdAt
  3. Create DELETE /merchants/api-keys/:id (protected) — revoke a key by setting revokedAt = now
  4. Create an apiKeyAuth middleware that hashes the incoming bearer token, looks it up in ApiKey, updates lastUsedAt, and attaches the merchant to req.merchant
  5. Support both JWT and API key authentication transparently in auth.middleware.ts

Acceptance Criteria

  • POST /merchants/api-keys returns { key, prefix, id, label, createdAt } — raw key only in this response
  • Raw key is not stored in DB; only the SHA-256 hash is persisted
  • GET /merchants/api-keys returns list without exposing hashes or raw keys
  • DELETE /merchants/api-keys/:id marks key as revoked; subsequent auth attempts return 401
  • A merchant can only see and revoke their own keys
  • API key auth middleware works alongside JWT middleware
  • lastUsedAt is updated on each successful API key authentication
  • Maximum of 10 active API keys per merchant (return 400 if limit exceeded)

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions