A zero-dependency, stateless API-key layer for Node.js
Drop in apikee() middleware on any route, or use the high‑level create()/validate() functions directly. Supports local (AES‑GCM + HMAC) and optional cloud logging.
- Stateless: keys carry their own metadata—no database required.
- AES‑GCM + HMAC‑SHA256: payload encryption + truncated signature for authenticity.
-
Flexible: local‑only or cloud‑enabled via
APIKEE_TOKEN. - Framework support: Express, Koa, Fastify, Hapi, Restify, Next.js (Pages & App routers).
- TypeScript ready, with built‑in type definitions.
- Compact Base62 encoding for short, mixed‑case keys.
npm install apikeeSet up your HMAC/AES secret:
export APIKEE_SECRET="your-very-secure-secret"
# Optional: export APIKEE_TOKEN="<your-cloud-token>"import { init, create, validate } from 'apikee';
// (Optional) custom config:
init({ secret: '...', prefix: 'myprefix', clockSkewSec: 5 });
// Generate a new key (local only):
const info = await create();
console.log(info.key); // e.g. "apikee_XyZ123..."
// Validate a key:
const meta = await validate(info.key);
console.log(meta.id, meta.expiresAt, meta.createdAt);import express from 'express';
import { express as apikee } from 'apikee/express';
const app = express();
app.get('/data', apikee(), (req, res) => {
return res.json({ clientId: (req as any).apiKee.id });
});import Koa from 'koa';
import { koa as apikee } from 'apikee/koa';
const app = new Koa();
app.use(apikee());
app.use(ctx => { ctx.body = { clientId: ctx.apiKee.id }; });import { NextResponse } from 'next/server';
import { apikee } from 'apikee/next/app';
export async function GET(req) {
try {
const info = await apikee()(req);
return NextResponse.json({ clientId: info.id });
} catch (err) {
return err; // already NextResponse
}
}