Separate API keys per consumer and log obfuscated key with requests #508
Description
Description of the issue
Currently, all external consumers of our API use the same shared API key. While this simplified initial setup, it limits our ability to:
- Identify which consumer is making a request
- Monitor or debug usage issues tied to specific consumers
- Rotate or revoke keys for a specific integration without affecting others
- Apply rate limiting, throttling, or analytics at the consumer level
Proposal
-
Issue unique API keys per consumer
This would give us greater visibility and control over how each integration is using the API. It also improves security by isolating credentials — if one key is leaked, only that consumer is affected. -
Log an obfuscated version of the API key with each request
Example: log the first 4 and last 4 characters of the key (e.g.abcd********wxyz) alongside the request path (e.g.,GET /endpoint). This helps quickly identify which consumer is responsible for specific traffic while still avoiding full exposure of the secret in logs.
Benefits
- Easier debugging and support (e.g. “this error only affects Consumer A”)
- Enables per-consumer metrics, quotas, and throttling
- Enhances incident response (e.g. we can revoke just one key if compromised)
- Improves auditability for compliance and observability