API Key Manager

TsgcWSAPIKeyManager — full-lifecycle management for the API keys your sgcWebSockets servers issue. Generate, hash, validate, rotate, revoke and audit — all from one drop-on-form component.

Overview

Issue, Rotate and Revoke API Keys

Plaintext keys are seen exactly once; only the SHA-256/512/Bcrypt hash is stored.

Cryptographically Strong, Brand-Friendly Keys

The manager generates cryptographically random keys with a configurable human-readable prefix (e.g. sgc_live_aB3...) so support staff and log scrubbers can spot which environment a leaked key belongs to. Keys are hashed at rest with SHA-256, SHA-512 or Bcrypt, optionally key-stretched with extra iterations, and validated in constant time to thwart timing attacks.

Attach the manager to TsgcWebSocketHTTPServer or TsgcWSServer_HTTPAPI through the APIKeyManager property. Authorize requests by calling IsRequestAuthorized from the server's OnConnect event — the manager extracts the X-API-Key header (or query parameter), validates the key, optionally enforces a required scope and records the IP for audit.

  • Configurable key prefix, length, alphabet and optional checksum
  • SHA-256, SHA-512 or Bcrypt hashing with static salt and iterations
  • Encrypted-at-rest file storage with auto-save interval
  • Scope-based authorization (catalog of allowed scopes)
  • Rotation with grace period — old key valid until customer rolls over
  • Revocation, renewal and TTL-based expiry
  • IP allowlist, HTTPS-required and fail-closed validation
  • Tamper-resistant audit log for every key-lifecycle action
API KEY
How it works

Lifecycle: Issue, Validate, Rotate, Revoke

Issue

IssueKey(Owner, Scopes, ExpiresInSec) generates a cryptographically random key, hashes it and stores the digest. The plaintext is returned exactly once — deliver it to your customer from the OnKeyIssued event handler. The hash, owner, scopes and metadata persist in storage; the plaintext is never written anywhere.

Validate

The server's OnConnect event calls IsRequestAuthorized with the connection's headers, URL and IP. The manager parses the key from the X-API-Key header (or api_key query parameter), rehashes it, performs a constant-time comparison, optionally enforces a required scope and verifies the request IP against the allowlist if configured.

Rotate

RotateKey(OldKey, NewKey) issues a fresh key for the same owner and scopes and marks the old one as kksRotated. During the configurable grace period (default 24 hours) both keys validate so the customer can swap without downtime. Auto-rotate sweeps keys older than AutoRotateDays, and OnKeyExpired fires NotifyBeforeExpirySec seconds early so you can email the customer in advance.

Revoke

RevokeKey(Key, Reason) immediately invalidates a key (subscription cancelled, key leaked). The audit log records the revocation, including IP and reason. Subsequent validations return False and OnKeyValidated fires with aValid := False.

Code

Delphi Example

Issue a key, attach the manager, then authorize every connection.

// Branded keys
sgcWSAPIKeyManager1.Generation.KeyPrefix := 'sgc_live_';
sgcWSAPIKeyManager1.Generation.KeyLength := 32;

// Encrypted file storage that survives restarts
sgcWSAPIKeyManager1.Storage.StorageType := kstFile;
sgcWSAPIKeyManager1.Storage.FileName := 'apikeys.dat';
sgcWSAPIKeyManager1.Storage.EncryptAtRest := True;
sgcWSAPIKeyManager1.Storage.EncryptionKey := 'master-secret';

// SHA-256 hashing with a static salt
sgcWSAPIKeyManager1.Hashing.Algorithm := khaSHA256;
sgcWSAPIKeyManager1.Hashing.Salt := 'my-salt';

// Scope catalog
sgcWSAPIKeyManager1.Scopes.Enabled := True;
with sgcWSAPIKeyManager1.Scopes.Scopes.Add as TsgcAPIKeyScopeItem do
begin
  Name := 'read:orders';
end;

// 90-day default TTL, 24h rotation grace period
sgcWSAPIKeyManager1.Expiration.DefaultTTLSec := 90 * 86400;
sgcWSAPIKeyManager1.Rotation.Enabled := True;
sgcWSAPIKeyManager1.Rotation.GracePeriodSec := 86400;

// Attach to server and load existing keys
sgcWSAPIKeyManager1.LoadFromFile('apikeys.dat');
sgcWebSocketHTTPServer1.APIKeyManager := sgcWSAPIKeyManager1;

// Issue a key (plaintext returned only here)
LKey := sgcWSAPIKeyManager1.IssueKey('customer-123',
  TArray<string>.Create('read:orders'), 30 * 86400);

// Authorize every connection in OnConnect
procedure TForm1.ServerConnect(Connection: TsgcWSConnection);
begin
  if not sgcWSAPIKeyManager1.IsRequestAuthorized(
    Connection.HeadersRequest.Text, Connection.URL,
    Connection.IP, 'read:orders') then
    Connection.Disconnect;
end;
Use cases

When to Reach for the API Key Manager

Branded Customer Keys

Generate sgc_live_ keys for production and sgc_test_ for staging. Support can spot environment leaks at a glance, and log scrubbers can redact prefixes consistently.

Tiered SaaS Authorization

Each customer's key carries scopes (read:orders, write:shipments). Pair with TsgcWSRateLimiter.PerAPIKey for per-tier rate limits read straight from the key store.

Compliance & Audit

12-month audit log retention, IP-stamped entries for every key-lifecycle action, OnAuditEvent for SIEM forwarding. Encrypted at-rest storage protects the key store on disk.

Leaked Key Recovery

Customer reports a leaked key but their integration is still live. Rotate it: a fresh key is issued; the old one keeps working for 24h while the customer rolls over, then is invalidated automatically.

Resources

Documentation & Demos

Deep-link to the component reference, grab the ready-to-run demo project, and download the trial.

Online Help — TsgcWebSocketAPIKeyManager Full property, method and event reference for this component. Demo Project — 01.WebSocket\10.APIKeyManager Ready-to-run example project. Ships inside the sgcWebSockets package — download the trial below. User Manual (PDF) Comprehensive manual covering every component in the library.

Issue Production-Grade API Keys

Download the free trial and add API key management to your sgcWebSockets servers.

Download Free Trial View Pricing