Welcome back! In the previous lessons, you learned how to generate secure API keys, store them safely, and use them to authenticate requests to your FastAPI application. You also saw how to combine API key authentication with JWTs for flexible access control. Now that you have a solid foundation in creating and authenticating API keys, it is time to focus on managing them securely.

In this lesson, you will learn how to list your API keys in a way that protects sensitive information, how to revoke (deactivate) keys when they are no longer needed, and how to protect your API from abuse using rate limiting. These are essential skills for any real-world API, as they help you maintain security, support auditing, and prevent misuse. By the end of this lesson, you will be able to build robust API key management endpoints and understand how to integrate them into your FastAPI application.

When building an API key management system, it is important to allow users to view their keys — but you must never expose the full API key after it is created. This is a key security principle: if someone gains access to the list of keys, they should not be able to use them directly.

Let's look at how you can implement a secure listing endpoint. In the example below, the /api/api-keys/list route retrieves all API keys for the authenticated user. Instead of returning the full key, it provides a preview (just the prefix and asterisks), along with metadata such as the key's name, status, and expiration date.

In this code, the endpoint first fetches all API keys for the current user using SQLAlchemy's async query interface, ordering them by creation date. For each key, it calculates whether the key is expired and how many days remain until expiration. The keyPreview field is set to a string like pb_************************************************************, so the actual key value is never exposed. The status is set to expired, , or based on the expiration date. The response includes a list of keys with their metadata, as well as counts of total and active keys.

Sometimes, you need to disable an API key — maybe it was leaked, or it is no longer needed. Instead of deleting the key from the database, it is best practice to deactivate it. This keeps an audit trail, which is important for security and compliance. Deactivated keys can no longer be used, but you still have a record of their existence and history.

Here is how you can implement a revocation endpoint:

In this code, the endpoint looks up the API key by its ID and the current user using SQLAlchemy. If the key is found, it sets isActive to False and commits the change to the database. The action is logged for auditing. The response confirms the revocation and includes the key's ID and name.

A typical response would be:

By deactivating rather than deleting, you ensure that you can always review which keys existed and when they were revoked.

As your API grows, it is important to protect it from abuse. One common attack is to flood your API with requests, which can slow down or even crash your service. Rate limiting helps prevent this by restricting how many requests a user or API key can make in a given time period.

In Python/FastAPI applications, you can use the slowapi library to implement rate limiting. In this example, you configure rate limiting to allow each API key 100 requests per hour. The middleware checks if the request is authenticated with an API key and applies the limit accordingly. JWT and unauthenticated requests skip rate limiting entirely, as they typically represent interactive users who are less likely to abuse the API.

The slowapi library automatically adds dynamic rate limit headers to responses: X-RateLimit-Limit (total allowed requests), X-RateLimit-Remaining (requests left in the window), and X-RateLimit-Reset (timestamp when the limit resets). These headers are calculated in real-time based on the actual request count, helping API consumers understand their usage and avoid hitting the limit.

Here is the rate limiting setup:

Now that you have endpoints for listing and revoking API keys, and a rate limiting setup, you need to integrate them into your main FastAPI application. This ensures that all API routes are protected and that key management is available to authenticated users.

Here is how the routes and middleware are set up:

In this setup, the authentication middleware handles authentication for all /api routes, setting the request.state.auth_method and request.state.api_key_id attributes that the rate limiting depends on. The rate limiter is configured to only apply limits to API key authenticated requests, while JWT and unauthenticated requests skip rate limiting entirely. This structure keeps your application organized and secure, ensuring that automated API access is protected by rate limiting while interactive users can work without restrictions.

In this lesson, you learned how to manage API keys securely in your FastAPI application. You saw how to list API keys without exposing sensitive information, how to revoke keys safely for audit purposes, and how to protect your API from abuse using rate limiting that specifically targets API key requests while allowing interactive users unrestricted access. You also learned how to integrate these features into your main FastAPI application for a clean and secure architecture.

These skills are essential for any API that uses key-based authentication. They help you keep your users safe, support compliance, and maintain the reliability of your service. In the next set of practice exercises, you will get hands-on experience with these concepts, reinforcing what you have learned and preparing you to build secure, production-ready APIs. Remember, on CodeSignal, all the necessary libraries are pre-installed, so you can focus on writing and testing your code. Good luck, and keep building your security skills!