The CodeQual API uses API keys for authentication and usage tracking. This document describes the API key management system implementation.
- api_keys - Stores hashed API keys and metadata
- api_usage_logs - Tracks every API request
- api_subscriptions - Links users to Stripe subscriptions
- api_usage_summaries - Monthly usage aggregation for billing
- api_rate_limits - Rate limiting tracking (can be replaced with Redis)
- API keys are hashed using SHA-256 before storage
- Keys can be restricted to specific endpoints
- Automatic expiration support
- Rate limiting per minute/hour
- Usage tracking for billing
All v1 endpoints require API key authentication:
# Using header (recommended)
curl -H "X-API-Key: ck_your_api_key_here" https://api.codequal.com/v1/analyze-pr
# Using query parameter (for webhooks/browsers)
curl https://api.codequal.com/v1/analyze-pr?api_key=ck_your_api_key_hereAvailable v1 endpoints:
POST /v1/analyze-pr- Analyze a pull requestGET /v1/repository/{url}- Get repository statusGET /v1/analysis/history- Get analysis historyGET /v1/reports/{id}- Get analysis report
# List your API keys
GET /api/keys
# Create new API key
POST /api/keys
{
"name": "Production Key",
"expiresIn": 365 // days (optional)
}
# Revoke API key
DELETE /api/keys/{id}
# Get usage statistics
GET /api/keys/{id}/usageAPI keys follow the format: ck_[32-character-hex]
Example: ck_a1b2c3d4e5f6789012345678901234
Default limits by plan:
- Starter: 60/min, 1000/hour
- Growth: 120/min, 5000/hour
- Scale: 300/min, 20000/hour
- Enterprise: Custom
Every API request tracks:
- Endpoint accessed
- Response time
- Tokens used (for AI operations)
- Cost in USD
- Status code
- Error messages (if any)
{
"error": "Invalid API key",
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid or has been revoked"
}Error codes:
MISSING_API_KEY- No API key providedINVALID_API_KEY- Key not found or inactiveEXPIRED_API_KEY- Key has expiredRATE_LIMIT_EXCEEDED- Too many requestsUSAGE_LIMIT_EXCEEDED- Monthly limit reachedFORBIDDEN_ENDPOINT- Key lacks permission for endpoint
Run the migration to create required tables:
# Using Supabase CLI
supabase db push
# Or directly
psql $DATABASE_URL < packages/database/migrations/20241228_api_key_management.sqlRun the test script:
npm run test:api-keys
# or
ts-node scripts/test-api-keys.tsAPI responses respect the Accept-Language header:
# Spanish error messages
curl -H "Accept-Language: es" -H "X-API-Key: invalid" https://api.codequal.com/v1/analyze-pr
# Response
{
"error": "Clave API inválida",
"code": "INVALID_API_KEY",
"message": "La clave API proporcionada es inválida o ha sido revocada"
}from codequal import CodeQualClient
client = CodeQualClient(api_key="ck_your_key_here")
result = client.analyze_pr(
repository_url="https://github.com/user/repo",
pr_number=123
)import { CodeQualClient } from 'codequal';
const client = new CodeQualClient({ apiKey: 'ck_your_key_here' });
const result = await client.analyzePR({
repositoryUrl: 'https://github.com/user/repo',
prNumber: 123
});curl -X POST https://api.codequal.com/v1/analyze-pr \
-H "X-API-Key: ck_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"repositoryUrl": "https://github.com/user/repo",
"prNumber": 123
}'The system automatically tracks usage for Stripe billing:
- Each request increments usage counters
- Monthly summaries are generated
- Stripe webhooks update subscription status
- Usage-based billing for overages
- Never share API keys in public repos or client-side code
- Rotate keys regularly using the management API
- Use environment variables to store keys
- Restrict key permissions to only required endpoints
- Monitor usage for unusual patterns
- ✅ Database schema created
- ✅ API key middleware implemented
- ✅ Management endpoints created
- ⏳ Run database migration
- ⏳ Test with real Supabase connection
- ⏳ Implement Stripe webhook handlers
- ⏳ Add API key to user dashboard UI