ContextQMD
Back to Activepieces

Platform API Keys

.agents/features/api-keys.md

0.82.13.5 KB
Original Source

Platform API Keys

Summary

Platform API Keys allow platform admins to generate long-lived service credentials (prefixed sk-) that authenticate machine-to-machine API calls on behalf of the platform. Each key is 64 characters long, stored only as a SHA-256 hash (the plaintext is returned once on creation and never again). The truncated last 4 characters are stored for display purposes. Keys track lastUsedAt which is updated on every authenticated request. This feature is gated by platform.plan.apiKeysEnabled.

Key Files

  • packages/server/api/src/app/ee/api-keys/api-key-module.ts — module registration with platformMustHaveFeatureEnabled guard
  • packages/server/api/src/app/ee/api-keys/api-key-entity.ts — TypeORM entity
  • packages/server/api/src/app/ee/api-keys/api-key-service.ts — service (add, list, delete, lookup by value)
  • packages/shared/src/lib/ee/api-key/index.tsApiKey, ApiKeyResponseWithValue, ApiKeyResponseWithoutValue, CreateApiKeyRequest types
  • packages/web/src/features/platform-admin/api/api-key-api.ts — frontend API client
  • packages/web/src/features/platform-admin/hooks/api-key-hooks.ts — React query hooks
  • packages/web/src/app/routes/platform/security/api-keys/ — platform admin UI page

Edition Availability

Enterprise and Cloud. Gated by platform.plan.apiKeysEnabled. The module registers the hook: platformMustHaveFeatureEnabled((platform) => platform.plan.apiKeysEnabled).

Domain Terms

  • API Key: A platform-scoped service credential used for programmatic access.
  • hashedValue: SHA-256 hash of the raw key, used for lookup on every request.
  • truncatedValue: Last 4 characters of the raw key, shown in the UI for identification.
  • lastUsedAt: ISO timestamp updated each time the key is successfully authenticated.

Entity

Table name: api_key

ColumnTypeNotes
idApId (string)PK
createdstringFrom BaseColumnSchemaPart
updatedstringFrom BaseColumnSchemaPart
platformIdApIdFK to platform (CASCADE DELETE)
displayNamestringHuman-readable label
hashedValuestringSHA-256 of the secret key
truncatedValuestringLast 4 chars for display
lastUsedAtstring (nullable)ISO timestamp of last use

Endpoints

All endpoints mount under /v1/api-keys. All require platformAdminOnly access.

MethodPathAuthResponseDescription
POST/v1/api-keysUSER (platform admin)ApiKeyResponseWithValue (201)Create a new key; returns raw value once
GET/v1/api-keysUSER (platform admin)SeekPage<ApiKeyResponseWithoutValue> (200)List all keys for platform
DELETE/v1/api-keys/:idUSER (platform admin)200Delete a key

Service Methods

  • add({ platformId, displayName }) — generates a 64-char sk-... key, stores hashed/truncated values, returns ApiKeyResponseWithValue (includes plaintext value).
  • getByValue(key) — looks up by hashedValue using SHA-256; updates lastUsedAt on hit. Used by the authentication middleware.
  • list({ platformId }) — returns all keys for the platform (not paginated internally, wrapped in SeekPage with null cursors).
  • delete({ platformId, id }) — deletes by platform + id; throws ENTITY_NOT_FOUND if key is not found.

Key Generation

Keys are generated with secureApId(61) prefixed with sk- to reach 64 characters total. The full value is hashed with cryptoUtils.hashSHA256 for storage. The truncated display value is the last 4 characters of the raw key.