Message API/docs/components/api-key-management/overview
Overview
Admin workflow for issuing, rotating, and disabling client API keys used by protected backend routes.
This component documents the backend API Key Management module used to issue client keys for protected business routes.
Use these routes from an internal admin experience to create client API keys, rotate them, deactivate them, and inspect their masked metadata later.
- Admin auth header: send `x-admin-key` on every API Key Management route.
- Business auth header: created client keys are later sent as `x-api-key` on protected feature routes.
- One-time raw key: the backend returns the full raw client key only during create and rotate responses.
- Internal-only admin flow: do not expose admin-key routes to public users.
Before the admin UI can call API Key Management routes, configure the admin secret in the DB backend environment.
- Environment file: set `ADMIN_API_KEY=your-key` in the DB backend `.env` file.
- Frontend usage: the admin UI sends this same value in the `x-admin-key` header.
- Operational note: restart the DB backend after changing environment variables if your runtime does not hot-reload `.env` values.
Backend Setup
A predictable admin UI should separate admin authentication, key creation, and later lifecycle actions.
- 11. Set the admin key in the internal UI before loading key records.
- 22. Create a client API key with a name, active flag, and optional expiry.
- 33. Save the raw key immediately because later list responses only return masked details.
- 44. Reuse the client key in protected routes such as Symbol Management and Backend Export Download.
- 55. Rotate or deactivate keys when you need to replace compromised or expired client credentials.
Use the pages below as the main reference for implementation details.