Using the API Key API
Zuplo runs a globally distributed API Key management service that scales to handle billions of daily key validation requests while maintaining low latency from any region around the world.
Management of API Keys and consumers can be performed in the Zuplo Portal and for end-users in the Zuplo Developer Portal. However, all management operations regarding API Keys can also be performed using the Zuplo Developer API.
Building API key management into your product?
If you want to add self-serve API key creation, rotation, and deletion to your own application's UI, see Build Self-Serve API Key Management in Your Product for a complete implementation guide with architecture, code examples, and security guidance.
In order to obtain an API Key for the Developer API, go to your account settings in the Zuplo Portal. More information
Models
The service contains three primary object: Buckets, Consumers, and API Keys. For a conceptual overview of these objects see Key Concepts. Below is an ER diagram showing the relationships of the three primary objects and their most important fields.
The Consumer is the most important object. Each consumer is in a bucket. Consumers can contain one or more API Keys.
Buckets
Buckets are the top level group for this service. A bucket could be used with a single Zuplo environment or shared among multiple environments or projects. By default a Zuplo API Gateway project will be created with several buckets that map to production, preview, and development (working copy) environments.
Enterprise plan customers run complex configurations where buckets are shared across gateway projects or even accounts. This can allow your end-users to authenticate to all your APIs with a single API key with unified permissions.
Consumers
Consumers are the core of the API Key service. The consumer is the "identity" of
any API Keys that are created. Consumers have a name which must be unique in
the bucket. This name is used as the default user.sub property in the API
Key Authentication policy.
API Keys
A Consumer can have any number of API keys associated with it. Each API Key shares the same identity (for example Consumer) when authenticating with this service. Expired keys won't be permitted to authenticate after their expiration.
In most cases, you won't manage API Keys directly. When using the API, the typical configuration is to create a consumer with an API key and each consumer has only a single API key except when performing operations like rolling keys.
Usage
This section explains common scenarios for managing API keys using the API. For other uses, see the full Developer API reference.
All examples assume two environment variables are set (in your terminal, not inside Zuplo)
Code
Creating a Consumer with a Key
When creating a new Consumer, it's a good idea to include some useful metadata
like the organizationId or a particular plan that's associated with that
user.
Tags are used for querying the consumers later. It's often useful to store some external identifier that links this consumer to your internal data as a tag.
Code
The response will look like this:
Code
You can use this API Key to call your Zuplo API Gateway that's protected by the API Key Authentication policy.
Query Consumers with API Keys By Tags
Code
The response will look like this:
Code
Roll a Consumer's Keys
Key rotation is a critical part of API key lifecycle management. Instant revocation of a key can break every system that depends on it, so Zuplo supports rolling transitions — creating a new key while keeping the old key active for a defined grace period.
When you call the roll key endpoint, Zuplo:
- Creates a new key with no expiration for the consumer
- Sets the
expiresOndate on all existing keys to the value you specify
This gives consumers time to update their integration to the new key before the old one stops working.
Choosing a transition period
The right expiresOn value depends on how quickly consumers can update their
keys:
- Leaked key response — set
expiresOnto a past date or within minutes. Security incidents demand immediate action; a brief disruption is preferable to continued exposure. - Routine rotation — 24 to 72 hours gives most teams enough time to propagate the new key through CI/CD pipelines, environment variables, and secret managers.
- Scheduled rotation — for large organizations, 7 to 14 days accommodates deploy freezes, multi-team coordination, and staged rollouts.
Multiple keys per consumer
Consumers can also manage rotation themselves by creating a second key, deploying it, verifying traffic, and then deleting the old key on their own schedule. This pattern avoids any expiration deadline and puts the consumer in full control.
Tags for Request Authorization
Most API requests support tags as query parameters, even on non-GET requests.
This lets you enforce conditions without a separate lookup. In the example
below, the orgId tag ensures the consumer being updated belongs to that
organization.
The following call sets all existing keys to expire on the specified date and creates a new key without an expiration.
Code
Reference
The full API Reference for the API Service is hosted using a Zuplo developer portal at https://dev.zuplo.com/docs/.