/Managing User Generated API Keys for your Application
Managing User Generated API Keys for your Application
David Kennedy

If you are building an application which allows users to access data via API Keys, you need a way for users to manage those keys easily. In this article, I am going to cover how I setup API keys to make management of them easy for myself and users

Main topics I am going to cover are:

  • API Key implementation types

  • API Key Rotation

  • API Key labeling

Let’s get started!

API Key Implementation Types

There are two ways of implementing API keys:

  • Retrievable:These are API keys that can be retrieved or viewed multiple times after their creation. They offer the convenience of recovery in case the key is lost or forgotten. However, this convenience can sometimes lead to security risks, as the ability to retrieve a key means it is stored in a way that can be accessed, potentially by unauthorized users.

  • Irretrievable: In contrast, irretrievable keys can only be viewed at the time of creation and cannot be retrieved later. If a key is lost, it cannot be recovered, reducing the risk of unauthorized access.

I use irretrievable keys in most of my projects. They are a bit easier to manage, and provide solid security.

Managing API Key Rotations

Managing transitions from old and new API keys are essential to a good users experience. A simple way to implement this is to allow users to create new API Keys before they delete an old one. I do this for this simplicity, allowing users to effectively manage their own key rotations.

API Key Labeling

After a key is created I want users to be able to identify API keys. A simple and effective way to do this is by adding labels to the key. This allows users to quickly determine which API key they are dealing with.

An example of this is tcmak_id123 where tcmak is an application label which stands for TinyCM API Key. This allows users to identify a specific applications API Key. After that you can add a simple identifier string such as id123 which is viewable inside of your API Key dashboard for easy identification.

API Key Copying

When using irretrievable keys it is important you make it easy for users to copy the API key to minimize risk of errors before the key is no longer accessible by the user. A great method for this is to add a copy button users can use.

In addition to a copy button, making the API key easily copied without a button is important. Take a look at the following key:

apikey-abc-123 vs apikey_abc_123

The first API Key with dashes is hard to copy and requires a user to carefully select the whole key before copying. In the API Key with underscores a user only needs to double click and the whole key is selected, making it easier to copy.


Handling API keys can be overwhelming at first. Hopefully this overview of how I manage API Keys helps guide you toward an easy way to implement them in your application.

Happy Coding!

Powered by TinyCM