Unique public identifier for the API key, typically prefixed for easy recognition and used as the primary reference in API requests. This is the non-sensitive portion that can be logged and displayed safely.

Example: "ak_live_1a2b3c4d5e6f7g8h9i0j"

Human-readable name assigned to the API key for identification purposes, helping users and administrators distinguish between multiple keys with different purposes or environments.

Example: "Production Integration Key"

Optional detailed description explaining the purpose, usage context, or intended application of this API key, useful for documentation and governance purposes.

Example: "API key for production payment gateway integration with Stripe webhook processing"

Reference to the User entity that owns this API key when the key is scoped to an individual user account. Null when the key belongs to an organization, tenant, or is a service account.

Example: "user_9k8j7h6g5f4d3s2a1"

Reference to the Organization entity that owns this API key when the key is scoped to organizational access. Null when the key belongs to a user, tenant, or is a service account.

Example: "org_tech_corp_2024"

Reference to the Tenant entity that owns this API key in multi-tenant architectures where keys are scoped to specific tenant instances. Null when not applicable to tenant context.

Example: "tenant_acme_production"

Discriminator indicating the type of entity that owns this API key, used to determine which ownership reference field should be populated and how permissions should be evaluated.

Values: user, organization, tenant, service-account

Example: "organization"

Current lifecycle status of the API key controlling whether it can be used for authentication. Active keys allow API access, inactive keys are temporarily disabled, revoked keys are permanently invalidated, and expired keys have passed their expiration date.

Values: active, inactive, revoked, expired

Example: "active"

Cryptographically hashed representation of the secret key portion used to validate authentication requests. The plain-text secret is only shown once at creation time and never stored directly for security purposes.

Example: "$2b$12$KIXxKzXq8Z5yF6Hv8qE2Pu.Vz9fG8yH5jN2kL3mP4qR5sT6uV7wX8"

Array of permission scopes that define what operations and resources this API key is authorized to access. Scope syntax follows domain-specific conventions such as resource:action patterns or hierarchical namespaces.

Example: ["users:read","payments:write","webhooks:manage"]

Whitelist of IP addresses or CIDR ranges from which API requests using this key will be accepted. Empty or null indicates no IP restrictions, allowing requests from any origin address.

Example: ["203.0.113.0/24","198.51.100.42"]

Whitelist of origin domains or URLs permitted to use this API key, typically used for browser-based applications requiring CORS validation. Null or empty allows all origins.

Example: ["https://app.example.com","https://dashboard.example.com"]

Rate limiting configuration object specifying maximum request thresholds per time window to prevent abuse and ensure fair resource usage. Contains fields like requestsPerMinute, requestsPerHour, and requestsPerDay.

Example: {"requestsPerMinute":60,"requestsPerHour":1000,"requestsPerDay":10000}

Cumulative count of successful API requests authenticated with this key since its creation, useful for tracking key utilization and identifying high-traffic integrations.

Example: 15847

Timestamp of the most recent successful API request authenticated with this key, useful for identifying stale or unused keys that may be candidates for revocation.

Example: "2025-11-27T14:32:18Z"

Optional expiration timestamp after which the API key will no longer be valid for authentication. Null indicates the key does not expire and remains valid until explicitly revoked or deactivated.

Example: "2026-11-27T23:59:59Z"

Timestamp when the API key was permanently revoked, indicating it can no longer be used for authentication. Null when the key has not been revoked.

Example: "2025-11-15T09:20:33Z"

Reference to the User entity who performed the revocation action, useful for audit trails and security investigations. Null when not revoked or revoked by automated processes.

Example: "user_admin_5f4d3s2a1z"

Optional explanation for why the API key was revoked, providing context for security audits, compliance reviews, or troubleshooting access issues.

Example: "Security incident: potential key compromise detected"

Deployment environment context where this API key is intended to be used, helping teams organize and manage keys across different stages of the development lifecycle.

Values: development, staging, production, test

Example: "production"

Flexible key-value store for domain-specific attributes, custom tags, integration identifiers, or any additional data needed for specialized implementations without modifying the core schema.

Example: {"integrationId":"int_stripe_webhook_001","projectName":"Payment Gateway v2","costCenter":"engineering-platform"}

Computed boolean indicating whether the API key is currently valid for authentication by evaluating status, expiration, and revocation conditions. Returns true only when status is active and key is neither expired nor revoked.

Example: true

Computed boolean indicating whether the API key has passed its expiration date. Returns true when expiresAt exists and is in the past, false otherwise.

Computed number of days remaining until the API key expires, useful for proactive notifications and renewal workflows. Null when expiresAt is not set, negative when already expired.

Example: 365

Computed number of days elapsed since the API key was last used for authentication, useful for identifying dormant keys. Null when lastUsedAt is not set.

Example: 3