npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@majikah/majik-api

v0.1.2

Published

A high-security API key management library for TypeScript. Handles generation, SHA-256 hashing, and lifecycle management including rate limiting, IP/domain whitelisting, and secure key rotation.

Downloads

261

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

thezelijahthezelijah

Keywords

api-keyapi-managementsecuritysha256rate-limitingwhitelistingkey-rotationip-filteringdomain-validationtypescriptsupabaseredismajikah

Readme

Majik API

Developed by Zelijah GitHub Sponsors

Majik API is an API key management library designed for the Majikah ecosystem. It provides a robust, developer-friendly interface for creating, hashing, and managing API keys with built-in support for rate limiting, IP/Domain whitelisting, and secure rotation.

npm npm downloads npm bundle size License TypeScript

Technical Architecture

1. Security via SHA-256 Hashing

The library ensures that the raw plaintext API key is never stored within the permanent state of the object. Upon creation or rotation, the key is immediately hashed using SHA-256. The rawApiKey property is a temporary field provided only during the initial generation/rotation event to allow for one-time display to the user.

2. Identity Persistence (UUID)

Each key instance maintains a stable id (UUIDv4). This ID remains constant even if the API key text is rotated, allowing for consistent Foreign Key relationships in databases (like Supabase) or audit logs.

3. Rate Limit Enforcement

The class includes built-in logic to normalize and validate rate limits. It enforces a "Safe Limit" ceiling of 500 requests per minute by default. Any attempt to set a limit higher than this requires an explicit bypassSafeLimit flag.

Features

  • Automated Lifecycle: Manage active, restricted, and expired statuses automatically based on timestamps and boolean flags.

  • IP Whitelisting: Supports individual IP addresses and CIDR notation validation.

  • Domain Whitelisting: Validates domains with support for wildcard (*) subdomains.

  • Status Calculation: Dynamic status getter that evaluates if a key is revoked, expired, or active.

  • JSON Serialization: Methods to export/import the class state for database storage (storing only hashes, never raw keys).

Installation

# Using npm
npm install @majikah/majik-api

Quick Start

import { MajikAPI } from '@majikah/majik-api';

// Create a new key for a specific owner
const key = MajikAPI.create('owner_user_id', undefined, {
  name: 'Production Environment Key'
});

// Capture the raw key once (it won't be in the object after serialization)
console.log('Provide this to user:', key.rawApiKey);

// Save to DB (this only saves the SHA-256 hash)
const data = key.toJSON();
// ... save data to your database ...

// Verifying a request later
const isValid = key.verify('key_provided_by_client'); // returns boolean

API Reference

Instance Getters

| Property | Type | Description | | :--- | :--- | :--- | | id | string | The stable UUIDv4 identifier for the record. | | ownerId | string | The identifier of the key owner (e.g., a user ID). | | name | string | Human-readable label for the API key. | | apiKey | string | The SHA-256 hash of the API key. | | rawApiKey | string \| undefined | The plaintext key. Only populated immediately after create() or rotate(). | | timestamp | string | ISO 8601 string of the last rotation or creation time. | | restricted | boolean | Manual toggle indicating if the key is administratively disabled. | | validUntil | string \| null | ISO 8601 expiration date, or null if the key never expires. | | settings | MajikAPISettings | A structured clone of the key's rate limits and whitelist configurations. | | status | 'revoked' \| 'expired' \| 'active' | Returns the current operational state based on internal flags and time. | | msUntilExpiry | number | Milliseconds remaining until validUntil. Returns -1 if no expiry is set. |

Static Methods

| Method | Parameters | Return Type | Description | | :--- | :--- | :--- | :--- | | create | ownerID: string, text?: string, options?: MajikAPICreateOptions | MajikAPI | Instantiates a new key. Generates a random UUID as the key if text is omitted. | | fromJSON | json: MajikAPIJSON | MajikAPI | Reconstructs an instance from a serialized data object. |

Instance Methods: Key Management

| Method | Parameters | Return Type | Description | | :--- | :--- | :--- | :--- | | verify | text: string | boolean | Hashes the input string and performs a constant-time comparison against the stored hash. | | rotate | text?: string | void | Generates a new hash and updates the timestamp. Populates rawApiKey with the new plaintext. | | revoke | None | void | Permanently disables the key by setting restricted to true and the expiry to 1970-01-01. | | isActive | None | boolean | Returns true if the key is not restricted and not expired. | | setName | name: string | void | Updates the human-readable label. | | setRestricted | restricted: boolean | void | Manually enables or disables the key. | | toJSON | None | MajikAPIJSON | Serializes the instance into a plain object for database storage. |

Instance Methods: Constraints & Whitelisting

| Method | Parameters | Return Type | Description | | :--- | :--- | :--- | :--- | | setExpiry | date: Date \| string \| null | void | Updates the valid_until property. Accepts Date objects or ISO strings. | | setRateLimit | amount: number, freq: RateLimitFrequency, bypass?: boolean | void | Sets requests per window. Caps at 500 req/min unless bypassSafeLimit is true. | | enableIPWhitelist | None | void | Enables the IP restriction check. | | disableIPWhitelist | None | void | Disables the IP restriction check. | | addIP | ip: string | void | Adds an IPv4, IPv6, or CIDR range to the whitelist. | | removeIP | ip: string | void | Removes a specific IP/range from the whitelist. | | enableDomainWhitelist| None | void | Enables the Domain restriction check. | | disableDomainWhitelist| None | void | Disables the Domain restriction check. | | addDomain | domain: string | void | Adds a domain (supports *.example.com wildcards) to the whitelist. | | removeDomain | domain: string | void | Removes a specific domain from the whitelist. |

Contributing

If you want to contribute or help extend support to more platforms, reach out via email. All contributions are welcome!

License

Apache-2.0 — free for personal and commercial use.

Author

Made with 💙 by @thezelijah

About the Developer

Contact