Core

API Key Management

Generate, scope, rotate, and rate-limit API keys. Usage tracking included.

The Problem

Most apps hand-roll their API key system. It starts as a single string in the database and grows into something that needs scopes, expiration, per-key rate limits, usage tracking, rotation, and an admin UI for your customers to manage their own keys.

Done correctly, this is weeks of work. Done incorrectly, it’s a security incident waiting to happen — leaked keys with no way to scope the blast radius, no audit trail of what was called, and a rotation process that breaks integrations.

How Flux Handles It

Flux provides a complete API key lifecycle out of the box:

  • Scoped keys: Every key carries a set of permissions — read-only, write, admin, or custom scopes you define
  • Per-key rate limits: Set different quota tiers per key, or inherit limits from the organization’s plan
  • Expiration and rotation: Keys can be time-limited; rotation issues a new key and provides a grace period before the old one is invalidated
  • Customer self-service: A hosted portal lets your customers create and manage their own API keys without touching your support queue
  • Usage tracking: Every API call is attributed to the key that made it — queryable by key, org, endpoint, and time range

What Makes It Different

Flux API keys are first-class auth tokens. When a request comes in with a Flux API key, the entire platform context is available: the org it belongs to, the plan that org is on, the entitlements that apply, and the rate limit state. No extra lookups required.

use flux_sdk::Flux;

let flux = Flux::init("your-api-key");

// Verify an inbound API key and get full context
let key_ctx = flux.keys().verify(&incoming_key)?;

println!("Org: {}", key_ctx.org_id);
println!("Scopes: {:?}", key_ctx.scopes);

// Check entitlements using the key's context — billing-aware, flag-aware
let allowed = flux.entitlements().check_for_key(&key_ctx, "bulk_export")?;

// Issue a new scoped key for a customer
let new_key = flux.keys().create()
    .for_org(&org_id)
    .with_scopes(["read:events", "write:configs"])
    .expires_in_days(90)
    .issue()?;

Your customers get a great API key experience. You get security and visibility without building it yourself.

Ready to try API Key Management?

Get started in minutes. No credit card required.

Get StartedRead the Docs