Welcome back! In the previous lessons, you learned how to generate secure API keys, store them safely, and use them to authenticate requests to your Express API. You also saw how to combine API key authentication with JWTs for flexible access control. Now that you have a solid foundation in creating and authenticating API keys, it is time to focus on managing them securely.

In this lesson, you will learn how to list your API keys in a way that protects sensitive information, how to revoke (deactivate) keys when they are no longer needed, and how to protect your API from abuse using rate limiting. These are essential skills for any real-world API, as they help you maintain security, support auditing, and prevent misuse. By the end of this lesson, you will be able to build robust API key management endpoints and understand how to integrate them into your Express application.

When building an API key management system, it is important to allow users to view their keys — but you must never expose the full API key after it is created. This is a key security principle: if someone gains access to the list of keys, they should not be able to use them directly.

Let's look at how you can implement a secure listing endpoint. In the example below, the /api/api-keys/list route retrieves all API keys for the authenticated user. Instead of returning the full key, it provides a preview (just the prefix and asterisks), along with metadata such as the key's name, status, and expiration date.

In this code, the endpoint first fetches all API keys for the current user, but only selects non-sensitive fields. For each key, it calculates whether the key is expired and how many days remain until expiration. The keyPreview field is set to a string like pb_************************************************************, so the actual key value is never exposed. The status is set to expired, expiring_soon, or based on the expiration date. The response includes a list of keys with their metadata, as well as counts of total and active keys.

Sometimes, you need to disable an API key — maybe it was leaked, or it is no longer needed. Instead of deleting the key from the database, it is best practice to deactivate it. This keeps an audit trail, which is important for security and compliance. Deactivated keys can no longer be used, but you still have a record of their existence and history.

Here is how you can implement a revocation endpoint:

In this code, the endpoint looks up the API key by its ID and the current user. If the key is found, it sets isActive to false and saves the change. The action is logged for auditing. The response confirms the revocation and includes the key's ID and name.

A typical response would be:

By deactivating rather than deleting, you ensure that you can always review which keys existed and when they were revoked.

As your API grows, it is important to protect it from abuse. One common attack is to flood your API with requests, which can slow down or even crash your service. Rate limiting helps prevent this by restricting how many requests a user or API key can make in a given time period.

In this example, you use the express-rate-limit library to limit each API key to 100 requests per hour. The middleware checks if the request is authenticated with an API key and applies the limit accordingly. JWT and unauthenticated requests skip rate limiting entirely, as they typically represent interactive users who are less likely to abuse the API. If the limit is exceeded, the user receives a clear error message.

Here is the rate limiting middleware:

This middleware uses a custom key generator to apply limits per API key. The skip function ensures that only API key authenticated requests are rate limited - JWT and unauthenticated requests bypass the rate limiting entirely. This approach focuses protection on automated API access while allowing interactive users to work without restrictions. If a user exceeds the limit, they receive a 429 error:

This helps protect your API from accidental or malicious overuse by automated systems using API keys.

Now that you have endpoints for listing and revoking API keys, and a rate limiting middleware, you need to integrate them into your main Express application. This ensures that all API routes are protected and that key management is available to authenticated users.

Here is how the routes and middleware are set up:

In this setup, the authenticateRequest middleware handles authentication for all /api routes, setting the req.authMethod and req.apiKeyId properties that the rate limiting middleware depends on. The apiKeyRateLimit middleware then applies rate limits only to API key authenticated requests, while JWT and unauthenticated requests skip rate limiting entirely. This structure keeps your application organized and secure, ensuring that automated API access is protected by rate limiting while interactive users can work without restrictions.

In this lesson, you learned how to manage API keys securely in your Express application. You saw how to list API keys without exposing sensitive information, how to revoke keys safely for audit purposes, and how to protect your API from abuse using rate limiting that specifically targets API key requests while allowing interactive users unrestricted access. You also learned how to integrate these features into your main Express router for a clean and secure architecture.

These skills are essential for any API that uses key-based authentication. They help you keep your users safe, support compliance, and maintain the reliability of your service. In the next set of practice exercises, you will get hands-on experience with these concepts, reinforcing what you have learned and preparing you to build secure, production-ready APIs. Remember, on CodeSignal, all the necessary libraries are pre-installed, so you can focus on writing and testing your code. Good luck, and keep building your security skills!