Introduction & Lesson Overview

Welcome back! In the previous lessons, you learned how to generate secure API keys, store them safely, and use them to authenticate requests to your Express API. You also saw how to combine API key authentication with JWTs for flexible access control. Now that you have a solid foundation in creating and authenticating API keys, it is time to focus on managing them securely.

In this lesson, you will learn how to list your API keys in a way that protects sensitive information, how to revoke (deactivate) keys when they are no longer needed, and how to protect your API from abuse using rate limiting. These are essential skills for any real-world API, as they help you maintain security, support auditing, and prevent misuse. By the end of this lesson, you will be able to build robust API key management endpoints and understand how to integrate them into your Express application.

Listing API Keys Securely

When building an API key management system, it is important to allow users to view their keys — but you must never expose the full API key after it is created. This is a key security principle: if someone gains access to the list of keys, they should not be able to use them directly.

Let's look at how you can implement a secure listing endpoint. In the example below, the /api/api-keys/list route retrieves all API keys for the authenticated user. Instead of returning the full key, it provides a preview (just the prefix and asterisks), along with metadata such as the key's name, status, and expiration date.

router.get('/list', verifyToken, async (req, res) => {
  try {
    const user = req.user;
    
    const apiKeys = await ApiKey.findAll({
      where: { userId: user.id },
      attributes: ['id', 'name', 'isActive', 'expiresAt', 'createdAt'],
      order: [['createdAt', 'DESC']]
    });
    
    const keysWithStatus = apiKeys.map(key => {
      const isExpired = new Date() > key.expiresAt;
      const daysUntilExpiry = Math.ceil(
        (key.expiresAt.getTime() - Date.now()) / (1000 * 60 * 60 * 24)
      );
      
      return {
        id: key.id,
        name: key.name,
        keyPreview: `pb_${'*'.repeat(60)}`, // Hide the actual key
        isActive: key.isActive,
        isExpired,
        expiresAt: key.expiresAt,
        createdAt: key.createdAt,
        status: isExpired ? 'expired' : 
                daysUntilExpiry < 30 ? 'expiring_soon' : 'active'
      };
    });
    
    res.json({
      apiKeys: keysWithStatus,
      totalCount: apiKeys.length,
      activeCount: keysWithStatus.filter(k => k.isActive && !k.isExpired).length
    });
  } catch (error) {
    console.error('Error listing API keys:', error);
    res.status(500).json({ error: 'Failed to list API keys' });
  }
});

In this code, the endpoint first fetches all API keys for the current user, but only selects non-sensitive fields. For each key, it calculates whether the key is expired and how many days remain until expiration. The keyPreview field is set to a string like pb_************************************************************, so the actual key value is never exposed. The status is set to expired, expiring_soon, or active based on the expiration date. The response includes a list of keys with their metadata, as well as counts of total and active keys.

A sample response might look like this:

{
  "apiKeys": [
    {
      "id": 1,
      "name": "My First Key",
      "keyPreview": "pb_************************************************************",
      "isActive": true,
      "isExpired": false,
      "expiresAt": "2024-07-10T12:00:00.000Z",
      "createdAt": "2024-06-10T12:00:00.000Z",
      "status": "active"
    }
  ],
  "totalCount": 1,
  "activeCount": 1
}

This approach allows users to manage their keys without risking exposure of sensitive information.

Secure API Key Revocation

Sometimes, you need to disable an API key — maybe it was leaked, or it is no longer needed. Instead of deleting the key from the database, it is best practice to deactivate it. This keeps an audit trail, which is important for security and compliance. Deactivated keys can no longer be used, but you still have a record of their existence and history.

Here is how you can implement a revocation endpoint:

router.delete('/:keyId', verifyToken, async (req, res) => {
  try {
    const user = req.user;
    const { keyId } = req.params;
    
    const apiKey = await ApiKey.findOne({
      where: { id: keyId, userId: user.id }
    });
    
    if (!apiKey) {
      return res.status(404).json({ error: 'API key not found' });
    }
    
    // Deactivate instead of deleting for audit trail
    apiKey.isActive = false;
    await apiKey.save();
    
    console.log('API key revoked:', {
      keyId: apiKey.id,
      userId: user.id,
      keyName: apiKey.name
    });
    
    res.json({ 
      message: 'API key revoked successfully',
      revokedKey: {
        id: apiKey.id,
        name: apiKey.name
      }
    });
  } catch (error) {
    console.error('Error revoking API key:', error);
    res.status(500).json({ error: 'Failed to revoke API key' });
  }
});

In this code, the endpoint looks up the API key by its ID and the current user. If the key is found, it sets isActive to false and saves the change. The action is logged for auditing. The response confirms the revocation and includes the key's ID and name.

A typical response would be:

{
  "message": "API key revoked successfully",
  "revokedKey": {
    "id": 1,
    "name": "My First Key"
  }
}

By deactivating rather than deleting, you ensure that you can always review which keys existed and when they were revoked.

Implementing Rate Limiting For API Key Requests

As your API grows, it is important to protect it from abuse. One common attack is to flood your API with requests, which can slow down or even crash your service. Rate limiting helps prevent this by restricting how many requests a user or API key can make in a given time period.

In this example, you use the express-rate-limit library to limit each API key to 100 requests per hour. The middleware checks if the request is authenticated with an API key and applies the limit accordingly. JWT and unauthenticated requests skip rate limiting entirely, as they typically represent interactive users who are less likely to abuse the API. If the limit is exceeded, the user receives a clear error message.

Here is the rate limiting middleware:

export const apiKeyRateLimit = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 100, // limit each API key to 100 requests per windowMs
  message: {
    error: 'Rate limit exceeded',
    message: 'Too many requests. Limit: 100 per hour',
    retryAfter: '1 hour'
  },
  // Custom key generator for API keys
  keyGenerator: (req) => {
    // Rate limiting only applies to API key authenticated requests
    return `api_key_${req.apiKeyId}`;
  },
  // Skip rate limiting for non-API-key requests
  skip: (req) => {
    return req.authMethod !== 'api_key';
  },
  // Custom handler for rate limit exceeded
  handler: (req, res) => {
    console.warn('Rate limit exceeded:', {
      apiKeyId: req.apiKeyId,
      ip: req.ip,
      userAgent: req.headers['user-agent']
    });
    
    res.status(429).json({
      error: 'Rate limit exceeded',
      message: 'Too many requests. Limit: 100 per hour',
      retryAfter: '1 hour'
    });
  },
  // Add rate limit headers to response
  standardHeaders: true,
  legacyHeaders: false
});

This middleware uses a custom key generator to apply limits per API key. The skip function ensures that only API key authenticated requests are rate limited - JWT and unauthenticated requests bypass the rate limiting entirely. This approach focuses protection on automated API access while allowing interactive users to work without restrictions. If a user exceeds the limit, they receive a 429 error:

{
  "error": "Rate limit exceeded",
  "message": "Too many requests. Limit: 100 per hour",
  "retryAfter": "1 hour"
}

This helps protect your API from accidental or malicious overuse by automated systems using API keys.

Integrating Management Endpoints Into Express

Now that you have endpoints for listing and revoking API keys, and a rate limiting middleware, you need to integrate them into your main Express application. This ensures that all API routes are protected and that key management is available to authenticated users.

Here is how the routes and middleware are set up:

import express from 'express';
import authRoutes from './auth.js';
import snippetRoutes from './snippets.js';
import adminRoutes from './admin.js';
import apiKeyRoutes from './apiKeys.js';
import staticRoutes from './static.js';
import { authenticateRequest } from '../middleware/authenticateRequest.js';
import { apiKeyRateLimit } from '../middleware/apiKeyRateLimit.js';

const router = express.Router();

router.use('/api', express.json());
router.use('/api', authenticateRequest); // Apply authentication
router.use('/api', apiKeyRateLimit); // Apply rate limiting to all API routes
router.use('/api/auth', authRoutes);
router.use('/api/api-keys', apiKeyRoutes);
router.use('/api/snippets', snippetRoutes);
router.use('/api/admin', adminRoutes);
router.use('/', staticRoutes);

export default router;

In this setup, the authenticateRequest middleware handles authentication for all /api routes, setting the req.authMethod and req.apiKeyId properties that the rate limiting middleware depends on. The apiKeyRateLimit middleware then applies rate limits only to API key authenticated requests, while JWT and unauthenticated requests skip rate limiting entirely. This structure keeps your application organized and secure, ensuring that automated API access is protected by rate limiting while interactive users can work without restrictions.

Summary & Next Steps

In this lesson, you learned how to manage API keys securely in your Express application. You saw how to list API keys without exposing sensitive information, how to revoke keys safely for audit purposes, and how to protect your API from abuse using rate limiting that specifically targets API key requests while allowing interactive users unrestricted access. You also learned how to integrate these features into your main Express router for a clean and secure architecture.

These skills are essential for any API that uses key-based authentication. They help you keep your users safe, support compliance, and maintain the reliability of your service. In the next set of practice exercises, you will get hands-on experience with these concepts, reinforcing what you have learned and preparing you to build secure, production-ready APIs. Remember, on CodeSignal, all the necessary libraries are pre-installed, so you can focus on writing and testing your code. Good luck, and keep building your security skills!

Sign up
Join the 1M+ learners on CodeSignal
Be a part of our community of 1M+ users who develop and demonstrate their skills on CodeSignal