Knogin
[Developers]

API Key Management

A penetration tester at a defence contractor once found a hardcoded API key in a public GitHub repository. It had read/write access to the entire platform, no expiry date, and no usage monitoring. By the time anyone noti

Back to All Modules
Category: ManagementLast Updated: Feb 5, 2026
managementcomplianceblockchain

Overview#

A penetration tester at a defence contractor once found a hardcoded API key in a public GitHub repository. It had read/write access to the entire platform, no expiry date, and no usage monitoring. By the time anyone noticed the repository, the key had been active for eleven months. That scenario is precisely what Argus API key management is designed to prevent.

Every API key issued by Argus is cryptographically generated, scoped to the minimum required permissions, subject to conditional access policies, and monitored for anomalous usage from the moment it is created. Secret values are shown once and stored only in hashed form. Keys that fall silent, travel to unexpected geographies, or start behaving differently from their baseline trigger alerts before damage occurs.

Key Features#

  • Secure Key Generation: API keys are generated using cryptographically secure methods with high entropy, ensuring uniqueness and resistance to brute-force attacks. Key secrets are displayed only once at creation time and are stored in hashed form.

  • Multiple Authentication Methods: Support for standard bearer tokens, signed JWT tokens, OAuth 2.0 client credentials, and mutual TLS certificate authentication to match your integration requirements and security posture.

  • Automatic Key Rotation: Configurable rotation schedules with grace periods ensure keys are regularly refreshed without service interruption. Both old and new keys remain valid during the transition period for zero-downtime rotation.

  • Granular Scope and Permissions: A hierarchical permission model controls access at the organisation, project, and resource level. Each key can be scoped to specific resources and actions, enforcing least-privilege principles.

  • Conditional Access Policies: Restrict key usage based on IP allowlists, geographic location, time-of-day windows, network type, and device compliance to reduce the attack surface of each integration.

  • Rate Limiting and Quota Management: Configurable usage quotas with multiple rate limiting strategies prevent abuse while accommodating legitimate traffic patterns. Burst allowances handle temporary spikes. All in-memory rate limiters carry hard caps on total bucket count to prevent memory exhaustion.

  • Usage Analytics and Anomaly Detection: Monitor key usage patterns with detailed analytics including request volumes, geographic distribution, error rates, and anomaly detection that identifies potentially compromised keys.

How It Works#

Key Lifecycle#

  1. Creation: Keys are generated with specified scopes, rate limits, and conditions. The secret value is displayed once and must be securely stored by the integrator. Integration guidance and example code are provided automatically.

  2. Active Usage: Each API request is validated against the key's scopes, conditions, and rate limits. Usage metrics are collected continuously and checked against anomaly baselines.

  3. Rotation: Keys can be rotated on a schedule or on demand. During rotation, a new key is generated and both old and new keys are accepted for a configurable grace period. Proactive notifications alert key owners before scheduled rotations.

  4. Revocation: Keys can be immediately revoked with global propagation, removing all access within seconds. Revocation triggers include manual action, security threat detection, or policy violations.

Permission Model#

Keys support a hierarchical scope architecture:

  • Resource-based scoping controls which data types the key can access (for example, investigations, evidence, or users)
  • Action-level permissions control what operations are allowed (read, write, delete, execute, admin)
  • Conditional policies add context-based restrictions (IP ranges, geography, time windows, network requirements)
  • Hierarchical inheritance allows organisation-level keys to delegate subsets of their permissions

Rate Limiting#

Multiple rate limiting strategies are available to match your needs:

  • Fixed window for straightforward billing-based quotas
  • Sliding window for smooth enforcement without boundary gaming
  • Token bucket for natural accommodation of traffic spikes
  • Cost-based quotas where different operations consume different amounts of quota

Open Standards#

  • OAuth 2.0 (RFC 6749): API keys may authenticate via the OAuth 2.0 client credentials grant, and key scopes follow RFC 6749 scope semantics for least-privilege access delegation.
  • JSON Web Token (RFC 7519): Signed JWT tokens are a supported API key authentication method; the platform validates RS256-signed JWTs including issuer, audience, and expiry claims.
  • JSON Web Key / JSON Web Algorithms (RFC 7517 / RFC 7518): Public keys for RS256 token verification are distributed and rotated via a JWKS endpoint, conforming to the JOSE family of specifications.
  • Bearer Token Usage (RFC 6750): All API key authentication uses the Authorization: Bearer scheme defined in RFC 6750, including standard WWW-Authenticate challenge headers on rejection.
  • OASIS XACML 3.0: The hierarchical scope and permission model is evaluated against OASIS eXtensible Access Control Markup Language 3.0 attribute categories, producing PERMIT or DENY decisions per the standard policy decision point model.
  • FIPS 140-2 (Key Management): Cryptographic key management controls, including rotation intervals, storage mechanism requirements, and key zeroisation, are validated against FIPS 140-2 Section 7 requirements.
  • NIST SP 800-132 (PBKDF2): Stored API key secrets are hashed using PBKDF2-HMAC-SHA-256 at 600,000 iterations, aligned to NIST SP 800-132 recommendations for password-based key derivation.
  • Mutual TLS (RFC 8705): Certificate-based mutual TLS is supported as an authentication method for integrations requiring strong machine identity assurance at the transport layer.

Compliance#

API key management supports compliance with:

  • SOC 2: Complete audit trail of key lifecycle events, access controls, and usage monitoring
  • ISO 27001: Information security controls for authentication and access management
  • PCI-DSS: Secure credential management for cardholder data environments
  • GDPR: Access controls and audit logging for personal data processing

Availability#

  • Enterprise Plan: Included with full feature set
  • Professional Plan: Included with standard rate limits

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.