🔑 API Key Expiry & Rotation Mechanism

[mijinummi]

📌 Overview

Long-lived API keys pose a significant security risk if compromised. To improve security and compliance, GasGuard requires API key expiry and rotation mechanisms.

This task introduces time-bound API keys with rotation endpoints, ensuring secure and manageable access for developers and integrators.

---

🎯 Objective

Build a secure API key management system that:

• Supports automatic key expiry
• Enables seamless key rotation
• Maintains backward compatibility with active sessions
• Enhances security compliance and reduces risk of key compromise

---

🛠 Scope of Work

1️⃣ API Key Expiry

• Assign expiration timestamp to each API key at creation
• Support configurable expiry periods (e.g., 30 days, 90 days)
• Automatically revoke expired keys
• Return clear error response for expired keys:

{
  "error": "APIKeyExpired",
  "message": "This API key has expired. Please rotate or request a new key."
}


---
## 2️⃣ Key Rotation Endpoint

Expose endpoints to rotate API keys securely:

POST /api-keys/:key/rotate
GET  /api-keys/:key/status

---
##3️⃣ Integration & Enforcement
Validate API keys on every request
Reject expired or revoked keys
Maintain audit logs for key rotations and expirations
Optional: alert developers prior to key expiry


---
## ✅ Acceptance Criteria

1. API keys expire correctly according to configuration
2. Rotation endpoint generates new keys and invalidates old keys
3. Expired or revoked keys rejected with proper error
4. Audit logs maintained for key events
5. Documentation updated
6. All tests passing

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 200 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[David-patrick-chuks]

@David-patrick-chuks has applied to work on this issue as part of the Stellar Wave Program's 2nd wave.

I’d like to work on this issue because API key lifecycle management is critical for security and compliance. I have experience implementing secure authentication systems with key expiry, rotation flows, and audit logging. I can design configurable expiration logic, build secure rotation and status endpoints, enforce validation on each request, and ensure backward compatibility with active sessions. I’ll also provide proper error handling, logging, and test coverage to meet all acceptance criteria.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @David-patrick-chuks to this issue.

[Armolas]

@Armolas has applied to work on this issue as part of the Stellar Wave Program's 2nd wave.

Hi, I’d like to work on this issue.

I’m a backend and blockchain engineer with experience building authentication systems, secure token flows, and production-ready API layers. I’ve implemented key-based auth, rotation strategies, and validation middleware in previous systems.

For this task, I’d:
• Extend the API key model to include expiration timestamps and status flags
• Enforce automatic expiry checks in auth middleware
• Implement a secure rotation endpoint that issues a new key while invalidating the old one safely
• Ensure backward compatibility for active sessions where required
• Add audit logging for key creation and rotation events
• Write tests covering expiry validation, rotation flow, and edge cases

I’ll prioritize secure storage (hashed keys), atomic rotation, and minimal disruption for integrators.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Armolas to this issue.