Server Mode
Connecting to apikee.dev for advanced validation, tracking, and fraud detection.
Server Mode
Server mode connects your app to the apikee developer platform to add production-grade features on top of local validation.
How it works
In server mode, every validated request triggers an encrypted call to apikee.dev/api/v1. The SDK:
- Validates locally first (signature, expiry, scopes) — this never changes and takes ~0.1ms
- Encrypts the request payload using X25519 ECDH + AES-256-GCM
- Posts the ciphertext to
POST /client/{uuid}?project_env=...&method_path=... - apikee.dev decrypts, runs server-side checks (IP, rate limits, fraud signals), and logs
- Returns an encrypted result which the SDK decrypts
- If
success: false, the SDK raises an error (or allows through iffail_open: true)
The raw API key is never transmitted in plaintext — only AES-GCM ciphertext leaves your process.
Setup
Create a project on apikee.dev
Go to apikee.dev, create a project, and copy your project key (sk_live_...) and project_env slug.
Add two config values
# Python
apikee = Apikee(
secrets=["your-local-secret"],
server_key="sk_live_...",
project_env="my-api-production",
)# Java (application.yml)
apikee:
secrets: [ your-local-secret ]
server-key: ${APIKEE_SERVER_KEY}
project-env: my-api-production// .NET (Program.cs)
builder.Services.AddApikee(o => {
o.Secrets = ["your-local-secret"];
o.ServerKey = Environment.GetEnvironmentVariable("APIKEE_SERVER_KEY");
o.ProjectEnv = "my-api-production";
});// Node.js
const apikee = new Apikee({
secrets: ['your-local-secret'],
serverKey: process.env.APIKEE_SERVER_KEY,
projectEnv: 'my-api-production',
})Deploy and watch data flow in
Endpoints auto-register on first request. Client stats appear in the dashboard immediately. Logs are searchable by client, endpoint, and status.
Auto-features
Once server mode is active, these work automatically without any code changes:
Auto-register endpoints — the first request to any route registers it on apikee.dev. No configuration needed.
Auto-create clients — when your SDK issues a new key, it automatically creates or upserts the matching client on apikee.dev.
fail_open behaviour
By default, if the apikee.dev call fails (network error, timeout, 5xx), the SDK allows the request through. Local validation still ran and passed.
# Strict mode — reject requests if server call fails
apikee = Apikee(
secrets=["..."],
server_key="sk_live_...",
project_env="my-api-production",
fail_open=False, # reject on server failure
)Set fail_open=False only if your API can tolerate rejecting valid requests during a platform outage. For most APIs, fail_open=True (the default) is the right choice.
Timeout
The default server call timeout is 3 seconds. Adjust if needed:
apikee = Apikee(
secrets=["..."],
server_key="sk_live_...",
project_env="my-api-production",
server_timeout=1.5, # seconds (Python)
)Environment variables
Store your server key securely:
# .env (never commit this)
APIKEE_SERVER_KEY=sk_live_...
APIKEE_PROJECT_ENV=my-api-production
APIKEE_LOCAL_SECRET=your-signing-secret