Skip to content

Separate API keys per consumer and log obfuscated key with requests #508

New issue
New issue
Open
Open
Separate API keys per consumer and log obfuscated key with requests#508
Assignees
eva-1729
@keiranjprice101

Description

@keiranjprice101
keiranjprice101
opened on Jun 13, 2025

Description of the issue

Currently, all external consumers of our API use the same shared API key. While this simplified initial setup, it limits our ability to:

  • Identify which consumer is making a request
  • Monitor or debug usage issues tied to specific consumers
  • Rotate or revoke keys for a specific integration without affecting others
  • Apply rate limiting, throttling, or analytics at the consumer level

Proposal

  1. Issue unique API keys per consumer
    This would give us greater visibility and control over how each integration is using the API. It also improves security by isolating credentials — if one key is leaked, only that consumer is affected.

  2. Log an obfuscated version of the API key with each request
    Example: log the first 4 and last 4 characters of the key (e.g. abcd********wxyz) alongside the request path (e.g., GET /endpoint). This helps quickly identify which consumer is responsible for specific traffic while still avoiding full exposure of the secret in logs.

Benefits

  • Easier debugging and support (e.g. “this error only affects Consumer A”)
  • Enables per-consumer metrics, quotas, and throttling
  • Enhances incident response (e.g. we can revoke just one key if compromised)
  • Improves auditability for compliance and observability

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions