Authentication
Manage API Keys and OAuth clients for secure API authentication in FlowGenX
FlowGenX supports two primary authentication methods for API access: API Keys and OAuth 2.0 with JWT tokens via Keycloak integration.
API Key Management
Quick Overview
API Keys provide a simple, secure way for applications to authenticate API requests with flexible expiration control and security features.
Key Features
- Lifecycle Management: Create, rotate, and delete keys with ease
- Expiration Control: Set custom expiration dates or create non-expiring keys
- Grace Period Rotation: Zero-downtime key rotation with configurable grace periods
- Security Controls: Rate limiting, IP allowlisting, and metadata support
- Usage Tracking: Monitor when keys were last used and their status
Creating an API Key
- Navigate to ACL Management → API Keys section
- Click Create API Key
- Configure the key:
| Field | Description | Required |
|---|---|---|
| Consumer | Select the consumer who will use this key | Yes |
| Key Name | Descriptive identifier (e.g., "production-api-key") | Yes |
| Expires In (Days) | Expiration period (default: 365, empty for no expiration) | No |
| Description | Optional notes about the key's purpose | No |
- Click Create API Key
- Important: Copy the generated key immediately - it cannot be retrieved later!
Key Rotation
Zero-Downtime Rotation
During the grace period, both old and new keys remain valid, allowing seamless application updates without service disruption.
To rotate a key:
- Locate the key in the API Keys list
- Click the Rotate button (refresh icon)
- Set the Grace Period (default: 7 days)
- Click Rotate Key
- Copy the new key and update your applications
- Test with the new key before the grace period expires
Key Status Indicators
| Status | Description | Icon Color |
|---|---|---|
| Active | Key is valid and can be used | Green |
| Expired | Key has passed its expiration date | Red |
| Expiring Soon | Key expires within 7 days | Yellow |
| Inactive | Key has been manually disabled | Gray |
Filtering and Search
Find keys quickly using advanced filters:
- Search Bar: Filter by key name, consumer username, or description
- Status Filter: Active, Inactive, Expired, Expiring Soon
- Consumer Filter: View keys for specific consumers
- Date Filter: Expires in 30 days, Already expired, Never expires
- Sort Options: By creation date, expiry date, or key name (ascending/descending)
Best Practices
✓ Use descriptive key names that indicate application/service purpose ✓ Set expiration dates for production keys (recommended: 90-365 days) ✓ Rotate keys regularly using the grace period feature ✓ Delete unused keys immediately to reduce attack surface ✓ Use IP allowlisting for sensitive endpoints ✓ Monitor "Last Used" timestamps to identify stale keys ✓ Never commit keys to version control
OAuth & JWT Management
Enterprise Authentication
OAuth 2.0 with JWT tokens provides enterprise-grade authentication with fine-grained access control through Keycloak integration.
OAuth Client Types
- Service Account Clients: Machine-to-machine authentication
- OpenID Connect: Standard OAuth 2.0 protocol support
- ACL Integration: Automatic permission inheritance from consumer groups
Client Properties
Each OAuth client includes:
| Property | Description |
|---|---|
| Client ID | Unique identifier for the client |
| Client Secret | Secure credential for token requests (shown only once) |
| Consumer | Associated API consumer (inherits ACL groups) |
| Realm | Keycloak realm (default or custom) |
| Protocol | openid-connect (OAuth 2.0) |
| ACL Groups | Permissions inherited from consumer |
| Status | Enabled/Disabled |
Creating an OAuth Client
Created via Consumers
OAuth clients are created through the Consumers section, not directly in the OAuth management view.
Steps to create:
- Navigate to ACL Management → Consumers
- Select or create a consumer
- Click the OAuth action for that consumer
- Click Create OAuth Client
- Configure:
- Client ID: Auto-generated or custom
- Name: Descriptive name
- Description: Optional purpose
- ACL Groups: Inherited from consumer
- Enable Service Account: For machine-to-machine auth
- Redirect URIs: Optional for web flows
- Click Create
- Critical: Save the client secret immediately!
Testing OAuth Flow
Built-in Token Tester
Validate your OAuth configuration without writing code using the integrated token testing tool.
- Go to OAuth & JWT Management section
- Click the Test OAuth flow button (terminal icon) for your client
- Enter the client secret
- Click Get Access Token
- Review results:
- Token validity status
- ACL claim presence
- Inherited ACL groups
- Token expiration time
- Decoded JWT payload
Managing Client Secrets
View Secret:
- Click the View secret button (eye icon)
- Secret displayed in secure modal
- Copy if needed
Regenerate Secret:
- Click the Regenerate secret button (key icon)
- Confirm action (old secret stops working immediately!)
- Copy new secret
- Update all applications
Secret Security
Client secrets are shown only once during creation. Store them securely in environment variables or secret management systems. If lost, you must regenerate (which invalidates the old secret).
ACL Group Inheritance
OAuth clients automatically inherit permissions:
graph LR
A[Consumer] -->|Assigned to| B[ACL Groups]
A -->|Has| C[OAuth Client]
C -->|Inherits| B
C -->|Issues| D[JWT Token]
D -->|Contains| E[acl_groups claim]- Assign groups to consumer
- OAuth client inherits all consumer group permissions
- JWT tokens include
acl_groupsclaim - Permission changes reflect immediately in new tokens
Best Practices
✓ Create separate OAuth clients for each application/service ✓ Use service accounts for backend services (machine-to-machine) ✓ Store secrets in secure vaults (AWS Secrets Manager, HashiCorp Vault) ✓ Regenerate secrets if compromised ✓ Disable clients instead of deleting for temporary suspension ✓ Test tokens after creation to verify permissions ✓ Use descriptive names indicating application purpose ✓ Document which applications use which clients
Environment Filtering
Both API Keys and OAuth clients support environment-specific filtering:
- Use the Environment Selector dropdown
- Filter by: Development, Staging, Production, or All
- Keys and clients are environment-specific
- Provides complete isolation across deployment stages
Common Use Cases
API Keys
- Mobile apps requiring simple authentication
- IoT devices with limited resources
- Third-party integrations
- Testing and development environments
OAuth/JWT
- Microservices architecture with service-to-service auth
- Enterprise applications requiring SSO integration
- Multi-tenant SaaS platforms
- Compliance-driven audit requirements
Security Considerations
API Keys:
- Treat as passwords - never commit to repositories
- Use HTTPS only
- Implement quarterly rotation policies
- Monitor usage patterns for anomalies
- Set expiration dates to limit exposure
OAuth Clients:
- Store secrets in secure vaults
- Use service accounts for non-interactive apps
- Implement token refresh flows
- Monitor validation failures
- Regenerate on suspected compromise
Troubleshooting
API Key Issues
Key Not Working
- Verify key status (not expired/disabled)
- Check IP restrictions
- Confirm consumer association
- Review rate limit status
Rotation Failed
- Ensure sufficient grace period
- Verify old key still valid
- Check application configuration
OAuth Issues
Token Request Failed
- Verify client secret accuracy
- Check client enabled status
- Confirm Keycloak realm configuration
- Validate service account settings
Access Denied Despite Valid Token
- Review ACL groups in decoded token
- Verify consumer group assignments
- Confirm route permissions
- Check Kong gateway sync status