playbooks

home / skills / a5c-ai / babysitter / api-key-manager

api-key-manager skill

/plugins/babysitter/skills/babysit/process/specializations/sdk-platform-development/skills/api-key-manager

This skill securely generates, rotates, and manages API keys with quotas, scoping, and revocation to streamline secure access control.

npx playbooks add skill a5c-ai/babysitter --skill api-key-manager

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.9 KB
---
name: api-key-manager
description: API key generation, rotation, and management system
allowed-tools:
  - Read
  - Write
  - Edit
  - Glob
  - Grep
  - Bash
---

# API Key Manager Skill

## Overview

This skill implements comprehensive API key management including secure generation, rotation policies, usage tracking, and quota enforcement.

## Capabilities

- Generate cryptographically secure API keys
- Implement key rotation with grace periods
- Track key usage and enforce quotas
- Support key scoping and permissions
- Configure key prefix patterns for identification
- Implement key revocation and blacklisting
- Support multiple key types (test, live)
- Generate key hashes for secure storage

## Target Processes

- Authentication and Authorization Patterns
- Developer Portal Implementation
- Platform API Gateway Design

## Integration Points

- Key management systems (HashiCorp Vault)
- Rate limiting middleware
- Usage analytics systems
- Developer portal UIs
- API gateway key validation

## Input Requirements

- Key format requirements
- Scoping/permission model
- Rotation policy
- Quota definitions
- Storage security requirements

## Output Artifacts

- Key generation service
- Key validation middleware
- Rotation management system
- Usage tracking integration
- Quota enforcement rules
- Admin management API

## Usage Example

```yaml
skill:
  name: api-key-manager
  context:
    keyFormat:
      prefix: "sk_"
      testPrefix: "sk_test_"
      livePrefix: "sk_live_"
      length: 32
    rotation:
      enabled: true
      gracePeriod: "7d"
    scopes:
      - read
      - write
      - delete
    quotas:
      default: 1000
      premium: 10000
```

## Best Practices

1. Use cryptographically secure random generation
2. Prefix keys to indicate type (test/live)
3. Store only hashed keys in database
4. Implement rotation with overlap periods
5. Track usage per key for analytics
6. Support immediate revocation

Overview

This skill provides a complete API key generation, rotation, and management system for production platforms. It focuses on secure key creation, hashed storage, scoped permissions, usage tracking, quota enforcement, and immediate revocation. The design supports test and live key types and integrates with gateways, vaults, and analytics.

How this skill works

The skill generates cryptographically secure keys with configurable prefixes and lengths, stores only hashed key material, and issues metadata (type, scopes, quotas). It implements rotation policies with configurable grace periods, overlapping keys during rotation, and immediate revocation/blacklisting. Usage events are collected to enforce quotas and feed analytics, while middleware validates keys against scopes and rate limits.

When to use it

  • Building an API developer portal that issues and manages keys
  • Implementing an API gateway that must validate and scope requests
  • Adding rotation and revocation to an existing key-based auth model
  • Enforcing per-key quotas and collecting usage metrics
  • Integrating key management with HashiCorp Vault or similar secret stores

Best practices

  • Generate keys with a cryptographically secure RNG and enforce strong length requirements
  • Prefix keys (e.g., sk_test_, sk_live_) to distinguish environments and enforce handling rules
  • Never store raw keys; persist only salted hashes and use constant-time comparison for validation
  • Implement rotation with an overlap grace period so active clients continue to work during transition
  • Track usage per key to enable quota enforcement, anomaly detection, and billing
  • Provide immediate revocation and blacklisting endpoints for compromised keys

Example use cases

  • Developer portal issues test and live keys, displays scopes, and lets users rotate keys with a grace period
  • API gateway middleware validates incoming keys, enforces scope-based access, and applies rate limits
  • Platform integrates with a secrets manager to store key hashes and rotation metadata securely
  • Usage tracking pipeline aggregates per-key metrics for quota enforcement and billing calculation
  • Admin API allows emergency revocation, blacklisting, and audit querying for compliance

FAQ

Can the system rotate keys without breaking active clients?

Yes. Configure a rotation policy with an overlap/grace period so both old and new keys are accepted during the transition window.

How are keys stored securely?

Only hashed key material is stored. Raw keys are displayed once at creation. Use a secrets manager for metadata and rotate hashing salts if needed.