Tesseral
Back to Guides

API Key Management Service: What It Is, Why It Matters, and How to Choose One

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

Intro

You’re a developer building a public API for your customers. Now what happens when one of your customers wants to use it?

You need to authenticate your customers' API requests; you need to know who people are. Among other things, you can't let just anyone mutate any data. Each user of your API needs access only to the data they're allowed to change.

authenticate-api-request

That means every user needs some kind of API key, an impossible-to-guess secret that proves their identity.

Now, you can’t just email each user a key. You can't send it over Slack or text message either. Seriously, though. Please don't do this. We see people pass along sensitive, long-lived secrets insecurely more often than we'd like. You need to protect yourself and your users.

You need a way to issue new API keys, manage their permissions, track their usage, and, critically, revoke or rotate keys. You also need to check the validity of API keys you receive. All of this needs to be highly secure.

You basically have two options:

  1. Build and maintain all this functionality yourself. This is certainly possible -- and appropriate in some cases -- but it is indisputably a ton of work to do properly. Most people should avoid doing this if they can.

  2. Use a pre-built solution from a commercial vendor or open source project. This is vastly simpler and generally more secure if you haven't done much authentication work before.

Let's assume you're interested in option #2 above: in using a pre-built solution to manage your customers' keys for accessing your public API. We'll call such solutions API key management services.

In this article, we'll cover:

  • What an API key management service does
  • How to pick a suitable API key management service
  • A few tips and tricks for managing customers' API keys

Understanding API key management services

What does an API key management service do for your API?

Let's start with API keys themselves. You need to issue keys for your public API in service of three main functions:

  1. Authentication: if someone calls your API, you need to know who they are. Each API key needs to be unique to a customer. Presentation of a valid API key is generally considered proof of identity. (It's kind of like a password for a user.)

  2. Authorization: if someone calls your API, you need to know what they're allowed to do. API keys help you determine whether to honor your customer's API call (e.g., to change certain data, to return certain data, etc.). It's not enough to know who a user is -- you need to make sure they're actually allowed to do what they're requesting.

  3. Control: API keys help keep you in control of your software. For instance, they help you rate limit certain customers, revoke certain customers access, and keep track of what certain customers are doing. Life is generally quite hard without API keys!

Here are some of the main things that a good API key management service will help you with: (As you might imagine, API key management services are valuable for many of the same reasons that API keys themselves are valuable!)

  1. API key lifecycle management: an API key management service will help you generate new API keys. It will also help you revoke or rotate (i.e. replace) API keys. For example, you might mint a new key that's due to expire in 90 days -- a good API key management service would enforce that expiry without making you handle it by hand.

  2. API key authentication: an API key management service will abstract away your verification of customers' API keys. In many cases, they'll set up a database of hashed API keys, against which you can check an incoming API call. You don't have to store all of this data yourself. (Note: this database lookup is not trivial to do quickly, especially if you have many customers with API keys.)

  3. API key authorization: just as with authentication, an API key management service will often keep track of the permissions associated with an API key. Here again, you simply have to query the service whether a given permission belongs to a given key -- you don't have to store this data yourself.

  4. Rate limiting: an API key management service can often enforce rate limits. That is, it can make sure that certain customers are not using your API excessively (e.g., in a way that impairs performance for your other customers).

  5. Audit logs: an API key management service may keep track of the API calls you've received. Your customers may appreciate that you keep track of this data for them.

  6. User experience: in some cases, a strong API key management service will improve your customers' experience. For example, it might provide a user-facing dashboard in which customers can manage API keys' creation, permissions, and expiry themselves.

In short, API key management services do a lot!

Why use an API key management service for your API?

Ultimately, whether to use an API key management service depends a bit on your requirements. Some developers will find these services useful. Others will decide that they would rather something from scratch.

There are many valid reasons to use an API key management service. We often see developers adopt such services when one or more of the following is true (no need for even a few of these to be true):

  • They prioritize time-to-market. It's almost always faster to pick something off the shelf than to build something yourself. Developers that need to move very quickly will often just use a service.

  • They want to focus on core product. There's only so much complexity you can wrangle all at once. Many developers try to outsource everything they can -- instead focusing on the few things that they unequivocally need to build in-house.

  • They don't want to deal with maintenance. "No good deed goes unpunished," a former boss and mentor once told me. If you volunteer to solve a problem, you can never just leave the problem behind. If you build a custom solution in-house, it will be your job to maintain it.

  • They want a polished experience for customers. If you're building something like API key management yourself, it's probably not the only thing you're responsible for; you won't have the resources to make things as perfect as you'd want. Specialized services frequently invest in features that in-house builds can never prioritize.

  • They want something highly performant. Every time you get an API call, you need to check the API key. Every millisecond you spend checking the API key adds latency. And if you can't check the API key (e.g., from an outage), your API is pretty much entirely down. It's possible that an API key management service faster and more resilient than what you'd build in-house.

  • They don't have the technical ability. This is actually one of the least common reasons, but it's worth including. A lot of people have never done auth work before, and they're rightly concerned with making sure it gets done right. They'd rather not risk grievous error.

All told, there are a bunch of reasons to consider an API key management service for your public API!

Picking an API key management service for your API

Suppose you're convinced that you want to adopt an API key management service for your public API. You've decided not to handle all of the complexity yourself. (In most -- but not all -- cases, I think this is the right call!)

You still need to pick which service you're going to use. Let's go over some of the things you'll want to consider. Then let's look at some of the different solutions that are out there.

API key management services: the features you need

You should look for some of these features when you're looking at an API key management service:

  • Key issuance: you probably want the ability to programmatically issue new API keys both via API call and through a hosted user interface you can put in front of your customers. It's nice to have the flexibility.

  • Programmable key expiry: this is a must. You need to have the ability to auto-expire API keys after a certain amount of time has elapsed. For example, you may want keys to expire three months after creation. Certain compliance regimes require this behavior.

  • Key revocation: this is a must. You need to have the ability to mark an API key revoked and refuse to honor it thereafter. People accidentally expose their API keys all the time. It's best to limit the blast radius when this happens.

  • Scopes and permissions: in the same way that we apply limited roles and permissions to users, so too should we limit API keys. You will want certain API keys to have narrower permissions than others; not everyone gets to be a superadmin.

  • Audit logs and metrics: this is a nice-to-have. It's helpful if you can keep track of everything a given API key has been used for. Good-looking dashboards are probably also nice.

  • Rate limiting: this is a nice-to-have. You'll likely want help applying certain limits to the keys that your customers use.

  • Integration with user authentication: life is simpler when your API key management service interfaces nicely with the system you use to manage user identities. (Actually, it's ideal to use the same system for both!)

Keep an eye out for those kinds of features.

API key management services: the top vendors in 2025

Kong

Best for: developers that need an extremely powerful API gateway product with key management built-in.

Kong is an enterprise-grade API gateway. It sits in front of your services and handles things like routing, rate limiting, authentication, and logging.

It’s powerful, flexible, and proven. However, it is not simple. It is quite a heavy solution. There's a chance Kong is what you're looking for, but if you're just looking for a way to manage API keys for your API, it's more likely that Kong's overkill.

Tyk

Best for: developers that need a powerful gateway product like Kong, but who prefer (or need) to use something that's open source.

Tyk is an API gateway tool like Kong, but it's open source. You can issue keys, define rate limits and quotas, assign scopes, and track usage.

I understand it to be a little more lightweight than Kong, but you should still expect to do a bunch of work. You'll be happiest with Tyk if you really want control and don’t mind dealing with a bunch of complexity.

Tyk is probably too much if all you need is a quick way to issue and verify keys.

Unkey

Best for: API-first products that want a powerful, developer-friendly, and specialized solution to handle their API keys.

Unkey is an open source API management tool. It offers key issuance (and related API key lifecycle management like revocation), roles and permissions, rate limiting, and analytics.

It's focused on API management, so it's both vastly more lightweight than Kong or Tyk and generally more feature-rich (e.g., in rate-limiting) than most auth platforms.

Tesseral

Best for: B2B software applications that want integrated user authentication and managed API keys bundled together in an elegant open source service.

Tesseral is open source auth infrastructure for B2B software. Right out of the box, it includes everything you need to manage customers' identities in multitenant B2B SaaS: from a hosted login page to enterprise single sign on and user provisioning to managed API keys. If you want to learn more, you can just book time with a founder directly!

TSRL-banner

Because it's integrated with Tesseral's broader authentication system for SaaS, you don't have to write any extra code. It just works out of the box.

All you have to do is set enableAPIKeys to be true. It's one setting. Here's an example in Express.js.

// make sure you've configured TESSERAL_BACKEND_API_KEY
app.use(
  requireAuth({
    publishableKey: "publishable_key_...",
    enableApiKeys: true,
  }),
);

It's pretty remarkable stuff!

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Resources
Pricing
Docs
Blog
Security
Compare
Tesseral vs. Auth0
Tesseral vs. WorkOS
Tesseral vs. Clerk
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)