Create, list, revoke API keys; validate a key or exchange it for a short-lived JWT. validate and token are public (the key is the credential); the rest need a bearer.
import { GatekeeperCore, KeysService } from '@orkait/sdk';
const keys = new KeysService(core, { defaultScopes: ['read'], defaultQuotaPeriod: 'month' });Config#
| Option | Default | Effect |
|---|---|---|
defaultScopes | none | scopes applied by create when none are passed |
defaultQuotaPeriod | none | quota period applied by create when none is passed |
Per-call values in create(input) override these.
Methods#
| Method | Returns | Notes |
|---|---|---|
create(input) | ApiKeyCreateResult | input.tenantId required; plainTextKey shown once |
list(tenantId, options?) | Page<ApiKeyPublic> | options: { limit?, cursor? } for pagination |
get(id) | ApiKeyPublic | |
revoke(id) | void | |
validate(key) | ValidatedApiKey | public |
token(key) | ApiKeyToken | public; key must have scopes |
Example#
const { plainTextKey } = await keys.create({ tenantId: 't1', name: 'ci' }); // scopes/period from config
const valid = await keys.validate(plainTextKey);
const { token } = await keys.token(plainTextKey); // verify against /.well-known/jwks.json