ApiKeyStrategy in the auth chain. It is created by workspace members through the POST /v1/api-keys endpoint and revoked via DELETE /v1/api-keys/:id; no PATCH route exists. Each key is linked to one or more workspace connectors via a separate api_key_workspace_connector_links join table, and those connectors are cleaned up automatically on revocation. The value field is the raw bearer secret โ it is only surfaced once at creation; all subsequent list responses return a masked_key derived from it.
Internal object. Not currently exposed on the public REST API. The operations below describe the intended contract.
API operations
Data model
Attributes
Relationships
System-computed
- api_key_id โ generated via gen_random_uuid() defaultRaw on INSERT
- created_at โ set by MikroORM onCreate hook, never writable
- updated_at โ set by MikroORM onCreate + onUpdate hooks, never writable
- value โ generated server-side by ApiKeyService (random secure secret); returned once at creation, never again
- last_used_at โ stamped by ApiKeyStrategy on each successful auth pass, not user-writable
- is_active โ defaults to true on INSERT; set to false by ApiKeyService.revokeApiKey() on DELETE, not directly patchable
Example
apps/api/src/database/entities/ApiKey.ts ยท domain: platform ยท tier: Platform