API Key Management

This guide covers the API key management module in the MkSaaS template. The module integrates the Better Auth API Key plugin to support creating, listing, deleting, and verifying API keys.

Core Features

Create API keys with optional custom names
Full key is shown only once after creation; the list displays masked keys (prefix + ••••••)
List of the current user's keys (name, key prefix, created at, expires at)
Delete API keys
Key verification (server-side validation and a test page)

API Keys Interface

API key management is under Settings → API Keys. Only signed-in users can access it to manage their own keys.

Create key: Click "Create API Key", enter a name, and confirm. On success, a dialog shows the full key once; copy and store it securely—it cannot be shown again after closing.
List: The table shows name, masked key (e.g. mksaas_••••••••••••), created at, expires at (or "Never"), and a delete action per row.
Delete: Use the row menu to delete a key; it is invalidated immediately.

Verifying API Keys

In Your Own APIs

In protected routes, read the API key from the request and call auth.api.verifyApiKey to validate. The template example is in src/app/api/test/apikey/route.ts file.

The project includes a test component VerifyApiKeyCard that sends the entered key to /api/test/apikey and displays whether verification succeeded and key details (ID, name, created at, expires at) for development and debugging.

Security Notes

Copy and store the full key when the post-creation dialog is shown, it cannot be retrieved later.
Do not log or store the full key on the client, the list only shows a masked prefix.
In production, consider restricting or disabling /api/test/apikey to internal or development use only.

Next Steps

Explore related topics:

Authentication

Configure user authentication

User Management

User roles and ban management

Website Configuration

Configure website settings

Database

Configure database

API Key Management

Learn how to manage API keys in MkSaaS

This guide covers the API key management module in the MkSaaS template. The module integrates the Better Auth API Key plugin to support creating, listing, deleting, and verifying API keys.

Core Features

Create API keys with optional custom names
Full key is shown only once after creation; the list displays masked keys (prefix + ••••••)
List of the current user's keys (name, key prefix, created at, expires at)
Delete API keys
Key verification (server-side validation and a test page)

API Keys Interface

API key management is under Settings → API Keys. Only signed-in users can access it to manage their own keys.

Create key: Click "Create API Key", enter a name, and confirm. On success, a dialog shows the full key once; copy and store it securely—it cannot be shown again after closing.
List: The table shows name, masked key (e.g. mksaas_••••••••••••), created at, expires at (or "Never"), and a delete action per row.
Delete: Use the row menu to delete a key; it is invalidated immediately.

Copy and store the full key when the post-creation dialog is shown, it cannot be retrieved later.
Do not log or store the full key on the client, the list only shows a masked prefix.
In production, consider restricting or disabling /api/test/apikey to internal or development use only.

Core Features

API Keys Interface

Verifying API Keys

In Your Own APIs

Test Verification

Security Notes

Next Steps

Authentication

User Management

Website Configuration

Database

Table of Contents

API Key Management

Core Features

API Keys Interface

Verifying API Keys

In Your Own APIs

Test Verification

Security Notes

Next Steps

Authentication

User Management

Website Configuration

Database

Table of Contents