Coming Soon · Security · Access

Apiome API Keys

Fine-grained, self-rotating API keys your security team will actually sign off on.

Apiome API Keys is the advanced access layer for every Apiome REST and MCP consumer, layering fine-grained permission scopes, per-key rate limits, and IP allowlisting on top of a hardened key foundation. Rotate secrets with configurable grace periods, tag keys by environment, and get webhook notifications for every lifecycle event.

Apiome API Keys primary surface
20+ scopes
Scope catalog
Up to 168h
Rotation grace period
15-minute JWTs
Short-lived tokens
Core capabilities

What ships with API Keys

Every API Keys surface is wired into the rest of the Apiome platform — no glue code, no separate identity, no bolt-on integrations.

Per-key rate limiting

Requests-per-minute and per-hour limits on every key, backed by atomic Redis sliding-window counters with standard X-RateLimit headers.

Fine-grained permission scopes

A canonical resource:action scope catalog spanning read, write, delete, admin, export, and AI operations — enforced on every route.

IP allowlisting per key

Restrict each key to specific CIDR ranges with full IPv6 support and spoof-resistant X-Forwarded-For handling.

Zero-downtime key rotation

Rotate a key and keep the old secret valid for a configurable grace period of up to a week, with every rotation captured in the audit log.

Lifecycle webhooks

HMAC-SHA256 signed payloads fire on key creation, first use, expiration, and revocation, with automatic retries and per-attempt delivery logs.

Environment-aware key management

Tag keys as production, staging, development, or testing, keep show-once secrets, and clone or bulk-manage keys across environments.

Inside the product

A look inside Apiome API Keys

Live design previews from the API Keys mockup pack — 4 surfaces in total.

API Keys — Create key wizard

A three-step issuance wizard: choose Browser or MCP Server key type, then configure scopes, environment, expiration, IP restrictions, and rate limits.

API Keys — Edit key

Per-key editing surfaces general settings, tool-level MCP permissions, transport and rate limit controls, and a danger zone for revocation.

API Keys — MCP setup

Guided MCP setup with a show-once secret, ready-to-paste config snippets for Cursor, Claude Desktop, and VS Code, plus a live connection test.

Built for these teams

Use cases

API Keys is designed around the way real teams actually work — not the way a tool wants them to work.

Platform engineering teams

Enforce a 90-day maximum key age, rotate production keys with a seven-day overlap window, and never take an integration down during a credential change.

Security & compliance leads

Lock every key to known CIDR ranges, require MFA before new keys are minted, and trigger one-click emergency revocation during an incident.

AI & developer tooling teams

Issue MCP Server keys for Cursor, Claude Desktop, and VS Code agents with tool-level permissions — read access without ever exposing writes.

Enterprise-grade

Built for procurement, InfoSec, and audit

API Keys ships with the controls your security, legal, and finance partners ask for first — so you can deploy with confidence and pass review with evidence.

  • MFA-backed key creation — require TOTP or SMS verification before any new API key is minted
  • HMAC-SHA256 signed requests and OAuth 2.0 client credentials flow for regulated integration patterns
  • Short-lived JWT token exchange (RS256, published JWKS) that shrinks the attack window to minutes
  • Tenant-wide maximum key age policies with rotation reminders and automatic expiry enforcement
  • Secret-scanning exposure callbacks, anomaly detection, and one-click emergency revocation of all keys
  • Dedicated MCP Server key type with tool-level permissions for IDE and agent clients
  • Usage anomaly detection that flags unusual geolocations and access hours per key
  • Auto-throttling that detects traffic spikes and applies temporary limits before damage is done
  • Granular AI scopes — ai:chat, ai:generate, ai:review — to control exactly what agents can invoke
AI integration

Credentials built for the agent era

API Keys treats AI agents as first-class consumers: dedicated MCP Server keys carry per-tool permission scopes, while anomaly detection and auto-throttling watch how every key behaves — not just whether it authenticates.

Every API KeysAI feature is grounded in your tenant's data, runs under your data-residency policy, and respects every role and ACL the platform enforces.

Every surface in Apiome API Keys

A look at the 4 screens designed for this suite — covering everything from day-1 onboarding to day-100 operations.

api-keys-list
create-key
edit-key
mcp-setup

Be first in line for API Keys

Early-access tenants help us shape API Keys — and get production-grade pricing locked in before general availability.