API Key Authentication
We are excited to announce the release of API Key authentication, a powerful feature that adds another way for your users to make requests to your product. With API Keys, you can now create unique authentication keys for your end users and organizations, ensuring secure communication between your product and your customers.
This also opens up the opportunity to authenticate requests made to browserless products, like cURL based or CLI products, without needing to create any UIs.
Basic Usage
There are three different kinds of API Keys that PropelAuth can generate, based on your desired use case.
- Personal Key - an API key tied to a user. If the user is blocked/deleted, the API key is blocked/deleted as well. Validating this will return the user’s information.
- Organization Key - an API key tied to an organization. Revoked when the organization is deleted and (optionally) when the user who created the key leaves the org.
- Generic - not tied to a user or organization. These can only be made programmatically and is more for cases where you want different backend systems to talk to each other.
Setup
To get started with API Key Authentication, follow these simple steps:
- In the API Key Settings section of the dashboard, make sure to enable your preferred feature, either Personal or Organization API Keys, or both.
- Click on the Preview button in your dashboard, and select the API Key hosted page(s) you wish to enable.
- Redirect your customers to these UIs, where they can create their own API Keys.
Validate Requests from your customers
Once your customers have generated an API Key, they can include it in the header of their requests to your product. By verifying the request against our validation API endpoints, you can ensure that it is coming from a legitimate user and obtain any relevant metadata from the requester.
As an example, below is a snippet of an Express backend that is logging to the console the user returned from the validatePersonalApiKey endpoint.
app.post('/api/whoami', async (req, res) => {
const apiKey = await auth.validatePersonalApiKey(
req.headers.authorization
)
res.json(apiKey)
})
Output
{
user: {
"userId":"98cef184-7c15-45c5-8918-8c2295aa7ffe",
"email":"test@propelauth.com",
"emailConfirmed":true,
"hasPassword":true,
"pictureUrl":"https://img.propelauth.com/2a27d237-db8c-4f82-84fb-5824dfaedc87.png",
"locked":false,
"enabled":true,
"mfaEnabled":false,
"canCreateOrgs":false,
"createdAt":1685487933,
"lastActiveAt":1685494460,
"orgIdToOrgInfo":{
...
},
"updatePasswordRequired":false
},
metadata: {
"howDoISetThis": "you can set the metadata on API key creation or update"
}
}