Grants.govSimpler.Grants.govGitHubDiscourse
Edit

API Key Management

  • Status: Active

  • Last Modified: 2025-09-04

  • Related Issue: #4579, #3984

  • Deciders: Matt, Lucas, Julius

  • Tags: api, key

Context and Problem Statement

We need to support:

  • A self-service method for users signing up for API keys

  • A way to ensure bad API traffic doesn't saturate our API servers

  • The ability to apply different API quotas for external, our own FE, and Federal partners

Decision Drivers

  1. Offloads validation/enforcement load off our bill/infrastructure

  2. Easiest and fastest 0 to 1

  3. Well supported

  4. Open Source

Options Considered

Decision Outcome

Chosen option: "AWS API Gateway", because it gets us up and running the fastest, provides the most protection against traffic spikes/DDOS, and is the most fully formed/best practice solution.

Positive Consequences

  • Managed hosting/infra

  • Scalable

  • Already used successfully by other peer projects

Negative Consequences

  • Need to stay aware of the 10k key limit and ensure we aren't closing in on it without a mitigation plan in place.

Pros and Cons of the Options

AWS API Gateway

API Gateway by AWS is a managed, platform service that allows for key and quota enforcement.

  • Pros

    • Scalability/cost for traffic spikes/attacks is owned by AWS

    • Key and quota enforcement is owned by AWS

    • We can integrate to retrieve keys and match them to users within our system.

    • Well supported, best practice, utilizing a vendor integrated/supported service.

    • Established solution that we don't have to build/maintain ourselves

  • Cons

    • There is an immutable limit of 10k keys that AWS does not seem to be planning to raise

      • We are working to mitigate this with aggressive expiration of the tokens so we can keep our token count down

Off the shelf API Gateway

Use an existing API Gateway that requires we manage/run the offering on our infrastructure. Some examples include Kraken and Kong, but we did not specifically evaluate any products in this category.

  • Pros

    • Open Source

    • Established solution that we don't have to build/maintain ourselves

  • Cons

    • We take on the management/infrastructure costs of running the software

Custom solution

Implement quota and key enforcement directly in the API code.

  • Pros

    • Does exactly what we need, nothing more nothing less

  • Cons

    • We take on the management/infrastructure costs of running the software

    • We have to build and maintain the solution.

Links

PreviousCo-planning toolNextInfra

Last updated

Was this helpful?