Apiome API Keys
Fine-grained, self-rotating API keys your security team will actually sign off on.
Apiome API Keys is the advanced access layer for every Apiome REST and MCP consumer, layering fine-grained permission scopes, per-key rate limits, and IP allowlisting on top of a hardened key foundation. Rotate secrets with configurable grace periods, tag keys by environment, and get webhook notifications for every lifecycle event.

What ships with API Keys
Every API Keys surface is wired into the rest of the Apiome platform — no glue code, no separate identity, no bolt-on integrations.
Per-key rate limiting
Requests-per-minute and per-hour limits on every key, backed by atomic Redis sliding-window counters with standard X-RateLimit headers.
Fine-grained permission scopes
A canonical resource:action scope catalog spanning read, write, delete, admin, export, and AI operations — enforced on every route.
IP allowlisting per key
Restrict each key to specific CIDR ranges with full IPv6 support and spoof-resistant X-Forwarded-For handling.
Zero-downtime key rotation
Rotate a key and keep the old secret valid for a configurable grace period of up to a week, with every rotation captured in the audit log.
Lifecycle webhooks
HMAC-SHA256 signed payloads fire on key creation, first use, expiration, and revocation, with automatic retries and per-attempt delivery logs.
Environment-aware key management
Tag keys as production, staging, development, or testing, keep show-once secrets, and clone or bulk-manage keys across environments.
A look inside Apiome API Keys
Live design previews from the API Keys mockup pack — 4 surfaces in total.

A three-step issuance wizard: choose Browser or MCP Server key type, then configure scopes, environment, expiration, IP restrictions, and rate limits.

Per-key editing surfaces general settings, tool-level MCP permissions, transport and rate limit controls, and a danger zone for revocation.

Guided MCP setup with a show-once secret, ready-to-paste config snippets for Cursor, Claude Desktop, and VS Code, plus a live connection test.
Use cases
API Keys is designed around the way real teams actually work — not the way a tool wants them to work.
Enforce a 90-day maximum key age, rotate production keys with a seven-day overlap window, and never take an integration down during a credential change.
Lock every key to known CIDR ranges, require MFA before new keys are minted, and trigger one-click emergency revocation during an incident.
Issue MCP Server keys for Cursor, Claude Desktop, and VS Code agents with tool-level permissions — read access without ever exposing writes.
- MFA-backed key creation — require TOTP or SMS verification before any new API key is minted
- HMAC-SHA256 signed requests and OAuth 2.0 client credentials flow for regulated integration patterns
- Short-lived JWT token exchange (RS256, published JWKS) that shrinks the attack window to minutes
- Tenant-wide maximum key age policies with rotation reminders and automatic expiry enforcement
- Secret-scanning exposure callbacks, anomaly detection, and one-click emergency revocation of all keys
- Dedicated MCP Server key type with tool-level permissions for IDE and agent clients
- Usage anomaly detection that flags unusual geolocations and access hours per key
- Auto-throttling that detects traffic spikes and applies temporary limits before damage is done
- Granular AI scopes — ai:chat, ai:generate, ai:review — to control exactly what agents can invoke
Credentials built for the agent era
API Keys treats AI agents as first-class consumers: dedicated MCP Server keys carry per-tool permission scopes, while anomaly detection and auto-throttling watch how every key behaves — not just whether it authenticates.
Every API KeysAI feature is grounded in your tenant's data, runs under your data-residency policy, and respects every role and ACL the platform enforces.
Every surface in Apiome API Keys
A look at the 4 screens designed for this suite — covering everything from day-1 onboarding to day-100 operations.


