API Key Authentication Middleware for External Integrations

[phertyameen]

Labels: middleware, authentication, integrations, medium-priority

Description:

Create API key authentication middleware to support external integrations, webhooks, and third-party service access.

Requirements:

• Support API key authentication via header (X-API-Key) or query parameter
• Generate secure, cryptographically random API keys
• Store API keys hashed in database (bcrypt or similar)
• Associate API keys with specific users or services
• Support multiple API keys per user/service
• Define scope/permissions per API key (read-only, write, admin)
• Track API key usage (rate limiting, analytics)
• Support API key expiration dates
• Allow API key revocation
• Rotate API keys periodically
• Log API key authentication attempts
• Return 401 for invalid/expired/revoked keys

Acceptance Criteria:

• External services can authenticate using API keys
• API keys never stored in plain text
• Each key has defined permissions scope
• Invalid keys rejected with clear error message
• API key usage tracked for billing/analytics (future)
• Keys can be revoked instantly
• Expiration dates enforced automatically
• Key rotation supported without service interruption
• Rate limiting applied per API key
• Audit log of all API key usage

API Key Format:

• Prefix: "mbk_" (Mind Block Key)
• Environment indicator: "live_" or "test_"
• Random string: 32 characters (base62)
• Example: mbk_live_Ab3Cd5Ef7Gh9Ij1Kl3Mn5Op7Qr9St1U

Key Management:

• Generation: Secure random generator
• Storage: bcrypt hash with salt
• Validation: Compare hashed values
• Revocation: Mark as inactive in database
• Expiration: Check expiry timestamp

Scopes/Permissions:

• read: Can read data (GET requests)
• write: Can create/update data (POST, PUT, PATCH)
• delete: Can delete data (DELETE requests)
• admin: Full access (all operations)
• custom: Define specific endpoint access

Security Features:

• Rate limiting per API key
• IP whitelisting (optional)
• Webhook signature verification
• Key rotation reminders
• Automatic expiration enforcement

Use Cases:

• Third-party analytics tools
• Webhook receivers
• Mobile app authentication (alternative to JWT)
• Partner integrations
• Automated testing/CI/CD

[Henrichy]

@Henrichy has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

Please can I work on this issue? I have experiences in API integration.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Henrichy to this issue.

[KAMALDEEN333]

@KAMALDEEN333 has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

Hi maintainer can i work on this

ℹ️ Repo Maintainers: To accept this application, review their application or assign @KAMALDEEN333 to this issue.

[drips-wave]

Congratulations, @KAMALDEEN333! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @KAMALDEEN333: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @KAMALDEEN333 as part of the Stellar Wave Program's 3rd Wave 🥳

😎 @KAMALDEEN333: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.