Zuplo
API Key Management

Stripe-quality API keys, fully managed

Self-serve issuance, rolling rotation, rich metadata, GitHub leak detection, and a 4-step validation pipeline that lands in single-digit milliseconds — without a key service to operate.

Start for Free Read the Docs

API Key Service

Bucket Name:zprj-enw4aunqqvr14gw7ci9ilrdp-working-copy
Consumers
Search by name
Create Consumer

No consumers found. Create your first consumer to get started.

Create Consumer
Why this matters

Hand-rolled API key services age badly

Every API team builds an API key system. Every one of them is incomplete in a different place — leak detection, rotation, edge validation, self-serve, audit. The fast path forward is to stop building and start using one that already does all of it.

×

Auth service nobody asked you to build

Hashing, rotation, storage, validation — all the parts of an API key system you'd rather not own. So your homegrown version skips one of them, and the postmortem references it by name.

×

Customers waiting on you to issue keys

Every signup is a Slack ping, a back-and-forth, a key emailed in plaintext. Sales-led when it should be self-serve. Trial users abandon before you respond.

×

Keys leaked, no one notices

A customer commits a key to a public repo. You find out three months later from a Stripe dispute or a usage spike. By then, the bot has been at it for a while.

×

Key rotation = scheduled downtime

Rolling a key means every customer needs to update their integration the same day. So you don't rotate. So when a leak happens, you're rotating in production at 3am.

What you get

A complete API key service, on day one

Edge-fast validation

Format check + checksum validate in microseconds with no network call. Cache hits land in single-digit ms in the same data center as the request. The slow path — first call, fresh cache — is still under 50ms.

Self-serve, branded

Customers create, view, roll, and delete their own keys via the included developer portal — or embed the open-source React component in your own app for a fully branded flow. Your team stops being the bottleneck.

Leak detection on every plan

Zuplo is a GitHub secret-scanning partner. Committed zpka_ keys are auto-detected and flagged within minutes — you get the key, the repo, the commit. One click revokes and rolls.

Edge validation & leak detection

Single-digit-ms validation — and a leak alert before the breach

Format check, checksum validation, edge cache lookup, key service — in that order. Garbage strings reject in microseconds without touching a database. Cache hits land in milliseconds in the same data center. Leaked keys get flagged by GitHub before the attacker does anything with them.

Edge Validation & Leak Detection
AVG 5ms

Validation pipeline · zpka_xxx_yyy

0.1ms

Format

zpka_ prefix verified

0.2ms

Checksum

instant validation, no DB

1.2ms

Edge cache

TTL 60s, same data center

4.8ms

Key service

globally replicated

TimeTypeDetailStatus
300+ edge data centers
GitHub partner for leak detection
Roll key API · no downtime
Self-serve issuance Portal + Management API + React component

Three ways to put keys in your customers' hands

Use the included developer portal for instant self-serve, embed the open-source React component in your own dashboard, or call the Developer API for fully programmatic issuance. All three flow through the same hashed-at-rest, edge-replicated key store.

TerminalIssue a consumer + key · Developer API
curl -X POST "https://dev.zuplo.com/v1/accounts/$ACCOUNT/key-buckets/$BUCKET/consumers?with-api-key=true" \
  -H "Authorization: Bearer $ZUPLO_DEVELOPER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "acme",
    "description": "Acme Corp production",
    "metadata": { "plan": "pro", "orgId": 456 },
    "tags": { "externalId": "cust_abc" }
  }'
TerminalRoll key with 7-day grace period
curl -X POST "https://dev.zuplo.com/v1/accounts/$ACCOUNT/key-buckets/$BUCKET/consumers/$CONSUMER/keys/roll" \
  -H "Authorization: Bearer $ZUPLO_DEVELOPER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "expiresOn": "2026-05-13T00:00:00Z"
  }'

# New key minted, old keys expire on the date.
# Both keys validate during the transition window.
zpka_<random>_<checksum>
Custom metadata per consumer
Tags for management filtering
Buckets shared across projects
Open-source React component
Auth0 / Okta / Clerk auto-provision
Read the Developer API Docs
Metadata as identity

The key isn't just authentication — it's identity context

Attach plan, tenant, partner ID, allowed regions — anything you need — to a consumer when you issue the key. Read it on every request via request.user.data. Inject it into rate limits, monetization meters, custom authorization, observability tags, and backend headers — without a second database call.

TypeScriptPer-partner authorization · custom policy
// Partner key has metadata: { partnerId, allowedStores }
export default async function (request, context) {
  const { partnerId, allowedStores } = request.user.data;
  const requestedStore = request.params.storeId;

  if (!allowedStores.includes(requestedStore)) {
    return new Response("Forbidden", { status: 403 });
  }

  // Forward partner identity to backend
  request.headers.set("x-partner-id", partnerId);
  return request;
}
TerminalIssue a partner key with authorization context
curl -X POST "https://dev.zuplo.com/v1/.../consumers?with-api-key=true" \
  -H "Authorization: Bearer $ZUPLO_DEVELOPER_API_KEY" \
  -d '{
    "name": "acme-partner",
    "metadata": {
      "partnerId": "acme",
      "plan": "enterprise",
      "allowedStores": ["sf", "nyc", "lon"],
      "tenantId": "t_842"
    }
  }'
Read on every request · request.user.data
Drives custom RBAC and authorization
Per-tenant rate limits and quotas
Forward to backend as trusted headers
Tag every log line with the consumer
Update metadata, no key rotation
What makes Zuplo different

Built like a key service, runs like a gateway

GitHub leak detection by default

Zuplo is an official GitHub secret-scanning partner. The zpka_ prefix and checksum let committed keys be detected and reported automatically — every plan, no opt-in. Custom enterprise key formats trade this off.

Roll key with grace period

POST one endpoint, get a new key minted, and have an expiresOn date stamped on every existing key. Both work during the window. Customers migrate when they're ready. Zero downtime, zero scripting.

Edge replication, no central DB

Keys validate at 300+ data centers in single-digit ms because the result is cached locally. The key service itself is globally replicated, so even cache misses don't cross continents. Billions of validations per day, low-latency worldwide.

Rich metadata, full Management API

Attach arbitrary JSON to each consumer (plan, tenant, customer ID); read it on every request via request.user.data. Or use tags for management-only filtering. The Developer API exposes Buckets / Consumers / API Keys for issuance, querying, rotation, and revocation.

Real questions, real answers

What teams use this for

“We want self-serve trial keys without a sales conversation.”

Stand up the included developer portal, point it at your Auth0 (or any IdP). Customers sign up, click "Create key," and they're calling your API in 60 seconds — with metadata.plan = "trial" attached so your rate-limit policy throttles them appropriately.

“A customer just leaked a key on GitHub. What now?”

You'll know first — Zuplo's GitHub secret-scanning integration alerts you with the key and the public repo URL. POST to the roll endpoint to mint a fresh one and put a 7-day expiry on the leaked key. Customer updates on their schedule; the leaked key stops working when the window closes.

“Each B2B partner can only access their own subset of stores.”

Stash the partner's allowed store IDs on the API key as metadata ({ partnerId: "acme", allowedStores: ["sf", "nyc"] }). A short custom policy reads request.user.data and rejects any path or query that asks for a store outside the list. No extra lookup, no second auth call — the key is the authorization context.

“Backend needs to know who's calling, without a second auth round-trip.”

The gateway already validated the key. Forward the consumer ID, plan, and any metadata you need as headers (x-consumer-id, x-plan, x-tenant) before the request hits your origin. Your backend trusts the gateway, not the public network — no second JWT verification, no shared database lookup.

Frequently Asked Questions

Common questions about API key management with Zuplo.

Replace the API key service nobody asked you to maintain

Free Zuplo project, drop in api-key-inbound, and your customers self-serve their own keys today.

Talk to a Solutions Engineer Start for Free