Apikee

Introduction

What apikee is, why it exists, and how it works.

Introduction

apikee is an open-source API key management library with an optional cloud layer. It gives you signed, self-validating keys in one line of code — and optionally connects to the apikee developer platform for production-grade key management.

The problem

Most APIs bolt on key management as an afterthought:

  • Keys stored as plain strings in a database — any query leaks all of them
  • Expiry requires a DB lookup on every request — slow and fragile
  • No standard way to embed scopes, tenant, or metadata into the key itself
  • Rolling your own middleware for every framework is repetitive
  • Swagger/OpenAPI security scheme has to be wired manually

The apikee solution

Self-contained signed keys. Every key embeds its own claims (tenant, scopes, expiry, metadata) and is signed with HMAC-SHA256. Validation is pure CPU — no I/O, no database.

Framework-native middleware. One line protects every route. Swagger security is injected automatically.

Optional cloud layer. Connect to apikee.dev to get server-side fraud detection, rate limiting, usage logs, and client management — via an encrypted channel so raw keys never leave your process.

Architecture

Your API                          apikee package
────────────────────────────────────────────────
POST /keys                   →    apikee.create()
  ↳ returns "apikee_..."          signs with HMAC-SHA256
                                  embeds exp, scopes, tenant

GET /data                    →    middleware.verify()
  x-api-key: apikee_...           splits key → payload + sig
                                  HMAC check (constant-time)
                                  decodes claims
                                  checks exp, nbf

                              ↓  server mode only (optional)
                                  encrypts request (AES-GCM)
                              →   apikee.dev validates
                                  checks IP, rate limit, fraud
                                  logs to MongoDB

In local mode the entire validation pipeline is steps 1–5 above — all pure CPU. In server mode, step 6 adds a single encrypted network call to apikee.dev/api/v1.

Two modes in detail

Local mode

Zero dependencies, zero network. HMAC-signed keys with embedded claims validated entirely in-process.

Server mode

Encrypted connection to apikee.dev. Adds fraud detection, rate limiting, usage tracking, client management.

Design principles

Speed first. Key validation must never be the bottleneck. Local validation runs in under 0.1ms.

Security by default. Constant-time HMAC comparison prevents timing oracle attacks. Keys are never logged internally. Raw keys are never transmitted in plaintext in server mode.

One API across all languages. The same concepts and method names work in Python, Node.js, Java, and .NET. Learn once, apply everywhere.

Progressive enhancement. Start with Apikee(secrets=["..."]) and add server mode later by setting two config values.

apikee Documentation

API key management for Python, Node.js, Java, and .NET with an optional developer platform at apikee.dev.

Quickstart

Create and validate your first apikee key in under 2 minutes.

On this page

IntroductionThe problemThe apikee solutionArchitectureTwo modes in detailDesign principles