[{"data":1,"prerenderedAt":446},["ShallowReactive",2],{"blog-prompts/api-key-validation":3},{"id":4,"title":5,"body":6,"category":425,"date":426,"dateModified":427,"description":428,"draft":429,"extension":430,"faq":431,"featured":429,"headerVariant":432,"image":431,"keywords":431,"meta":433,"navigation":434,"ogDescription":435,"ogTitle":431,"path":436,"readTime":431,"schemaOrg":437,"schemaType":438,"seo":439,"sitemap":440,"stem":441,"tags":442,"twitterCard":444,"__hash__":445},"blog/blog/prompts/api-key-validation.md","Add API Key Validation with AI Prompts",{"type":7,"value":8,"toc":410},"minimark",[9,16,21,24,73,77,82,94,137,141,144,190,194,198,201,260,270,274,281,340,357,379,398],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you add proper API key validation to your endpoints. They cover validating key format, checking against a database, handling invalid keys with proper error responses, and implementing key scoping for different permission levels.",[17,18,20],"h2",{"id":19},"basic-api-key-validation","Basic API Key Validation",[13,22,23],{},"Use this prompt to generate reusable API key validation middleware for your endpoints. Your AI will create header extraction, format validation, database lookup with timing-safe comparison, and proper 401/403 error responses with rate limiting.",[25,26,27,30,33,52,55,70],"prompt-box",{"title":20},[13,28,29],{},"Add API key validation to my API endpoints.",[13,31,32],{},"Requirements:",[34,35,36,40,43,46,49],"ol",{},[37,38,39],"li",{},"Accept API key in the Authorization header (Bearer token) or X-API-Key header",[37,41,42],{},"Validate the key format before database lookup",[37,44,45],{},"Look up the key in the database to verify it's valid",[37,47,48],{},"Return proper error responses for missing, invalid, or expired keys",[37,50,51],{},"Use timing-safe comparison to prevent timing attacks",[13,53,54],{},"The validation should:",[56,57,58,61,64,67],"ul",{},[37,59,60],{},"Return 401 for missing or malformed keys",[37,62,63],{},"Return 403 for invalid or revoked keys",[37,65,66],{},"Include rate limiting per API key",[37,68,69],{},"Log failed validation attempts (without logging the actual key)",[13,71,72],{},"Create reusable middleware that can be applied to protected routes.",[17,74,76],{"id":75},"framework-specific-validation","Framework-Specific Validation",[78,79,81],"h3",{"id":80},"nextjs-api-routes","Next.js API Routes",[13,83,84,85,89,90,93],{},"Copy this prompt to generate API key validation helpers for both Next.js Pages Router and App Router. You'll get a ",[86,87,88],"code",{},"withApiKey"," HOC, a ",[86,91,92],{},"validateApiKey"," helper, TypeScript types, and a secure key generation utility.",[25,95,97,100,103,120,123],{"title":96},"Next.js API Key Validation",[13,98,99],{},"Create API key validation middleware for Next.js API routes.",[13,101,102],{},"For both Pages Router and App Router:",[34,104,105,108,111,114,117],{},[37,106,107],{},"Create a withApiKey higher-order function for Pages Router",[37,109,110],{},"Create a validateApiKey helper for App Router route handlers",[37,112,113],{},"Check the Authorization header or X-API-Key",[37,115,116],{},"Validate against database (Supabase/Prisma/etc.)",[37,118,119],{},"Return proper JSON error responses",[13,121,122],{},"Include:",[56,124,125,128,131,134],{},[37,126,127],{},"TypeScript types for the API key and user",[37,129,130],{},"Edge runtime compatible version if needed",[37,132,133],{},"Example usage for both router types",[37,135,136],{},"Helper to generate new API keys with proper entropy",[78,138,140],{"id":139},"expressjs-middleware","Express.js Middleware",[13,142,143],{},"Use this prompt to generate Express middleware for API key validation. Your AI will produce middleware with timing-safe comparison, database key lookup, per-key rate limiting, and a key generation utility that hashes keys before storage.",[25,145,147,150,153,170,173,187],{"title":146},"Express API Key Middleware",[13,148,149],{},"Create Express middleware for API key validation.",[13,151,152],{},"Features needed:",[34,154,155,158,161,164,167],{},[37,156,157],{},"Middleware function that validates API keys",[37,159,160],{},"Support for both header-based and query param keys",[37,162,163],{},"Database lookup for key validation",[37,165,166],{},"Attach user/account info to req object on success",[37,168,169],{},"Configurable for different routes (some public, some protected)",[13,171,172],{},"Security requirements:",[56,174,175,178,181,184],{},[37,176,177],{},"Timing-safe string comparison",[37,179,180],{},"Rate limiting per key",[37,182,183],{},"Key hashing in database (don't store raw keys)",[37,185,186],{},"Proper error messages that don't leak information",[13,188,189],{},"Create both the middleware and a key generation utility.",[17,191,193],{"id":192},"advanced-validation-features","Advanced Validation Features",[78,195,197],{"id":196},"scoped-api-keys","Scoped API Keys",[13,199,200],{},"This prompt asks your AI to build a scoped API key system with granular permissions. You'll get a database schema for keys with read/write/admin scopes, expiration dates, and middleware that verifies the required scope for each endpoint.",[25,202,203,206,209,223,226,243,246],{"title":197},[13,204,205],{},"Implement scoped API keys with different permission levels.",[13,207,208],{},"I need:",[34,210,211,214,217,220],{},[37,212,213],{},"API keys with specific permissions (read, write, admin)",[37,215,216],{},"Keys that can be limited to specific endpoints",[37,218,219],{},"Keys with expiration dates",[37,221,222],{},"Keys tied to specific resources (e.g., only access their own data)",[13,224,225],{},"Database schema should include:",[56,227,228,231,234,237,240],{},[37,229,230],{},"Key hash (not raw key)",[37,232,233],{},"Scopes/permissions array",[37,235,236],{},"Created/expires dates",[37,238,239],{},"Last used timestamp",[37,241,242],{},"Associated user/account",[13,244,245],{},"Validation middleware should:",[56,247,248,251,254,257],{},[37,249,250],{},"Check key validity",[37,252,253],{},"Verify required scopes for the endpoint",[37,255,256],{},"Update last_used timestamp",[37,258,259],{},"Block expired keys",[261,262,263],"warning-box",{},[13,264,265,269],{},[266,267,268],"strong",{},"Never store raw API keys:"," Always hash API keys before storing them in your database. When a key is generated, show it once to the user, then only store the hash. This way, if your database is compromised, the keys can't be used.",[17,271,273],{"id":272},"key-generation","Key Generation",[13,275,276,277,280],{},"Copy this prompt to generate a complete API key generation system with prefixed keys (like Stripe's ",[86,278,279],{},"sk_live_"," format). Your AI will create key generation, checksum validation, hashing for storage, and a database migration for the keys table.",[25,282,284,287,289,306,323,326],{"title":283},"Secure Key Generation",[13,285,286],{},"Create a secure API key generation system.",[13,288,32],{},[34,290,291,294,297,300,303],{},[37,292,293],{},"Generate cryptographically secure random keys",[37,295,296],{},"Use a prefix to identify key type (e.g., pk_live_, sk_test_)",[37,298,299],{},"Include a checksum for basic validation",[37,301,302],{},"Hash the key before storing",[37,304,305],{},"Return the raw key only once (on creation)",[13,307,308,309,313,319,322],{},"Key format: ",[310,311,312],"span",{},"prefix",[314,315,316],"em",{},[310,317,318],{},"random_bytes",[310,320,321],{},"checksum","\nExample: sk_live_a1b2c3d4e5f6g7h8_x9y0",[13,324,325],{},"Provide:",[56,327,328,331,334,337],{},[37,329,330],{},"Key generation function",[37,332,333],{},"Key validation function (check format and checksum)",[37,335,336],{},"Key hashing function for storage",[37,338,339],{},"Database migration for the keys table",[341,342,343],"tip-box",{},[13,344,345,348,349,352,353,356],{},[266,346,347],{},"Pro tip:"," Use key prefixes like ",[86,350,351],{},"pk_"," (publishable) and ",[86,354,355],{},"sk_"," (secret) to help identify key types and catch accidental exposure of secret keys in client-side code.",[358,359,360,367,373],"faq-section",{},[361,362,364],"faq-item",{"question":363},"Should I use API keys or OAuth for authentication?",[13,365,366],{},"API keys are simpler and good for server-to-server communication. OAuth is better for user-facing applications where you need to authenticate users and control their access to resources.",[361,368,370],{"question":369},"Where should API keys be sent in requests?",[13,371,372],{},"The Authorization header is preferred (as Bearer token). The X-API-Key header is also common. Avoid query parameters as they can be logged in server access logs and browser history.",[361,374,376],{"question":375},"How often should API keys be rotated?",[13,377,378],{},"It depends on your security requirements. For high-security applications, rotate keys every 90 days. At minimum, rotate immediately if there's any suspicion of compromise.",[380,381,382,388,393],"related-articles",{},[383,384],"related-card",{"description":385,"href":386,"title":387},"Full API security hardening","/blog/prompts/secure-api-endpoints","Secure API Endpoints",[383,389],{"description":390,"href":391,"title":392},"Prevent API abuse","/blog/prompts/rate-limit-api","Add Rate Limiting",[383,394],{"description":395,"href":396,"title":397},"Complete auth implementation","/blog/prompts/add-api-authentication","Add API Authentication",[399,400,403,407],"cta-box",{"href":401,"label":402},"/","Start Free Scan",[17,404,406],{"id":405},"test-your-api-security","Test Your API Security",[13,408,409],{},"Scan your API endpoints to find authentication and validation issues.",{"title":411,"searchDepth":412,"depth":412,"links":413},"",2,[414,415,420,423,424],{"id":19,"depth":412,"text":20},{"id":75,"depth":412,"text":76,"children":416},[417,419],{"id":80,"depth":418,"text":81},3,{"id":139,"depth":418,"text":140},{"id":192,"depth":412,"text":193,"children":421},[422],{"id":196,"depth":418,"text":197},{"id":272,"depth":412,"text":273},{"id":405,"depth":412,"text":406},"prompts","2026-02-13","2026-03-06","AI prompts to add proper API key validation to your endpoints. Validate format, check permissions, and handle invalid keys securely.",false,"md",null,"cyan",{},true,"AI prompts to add proper API key validation to your endpoints.","/blog/prompts/api-key-validation","[object Object]","BlogPosting",{"title":5,"description":428},{"loc":436},"blog/prompts/api-key-validation",[443],"API Security","summary_large_image","02ivm9fQG2Th4hgJj2l8Cj82tBt_nHnP4zvnM5Rid6c",1775843938858]