npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

nestjs-apikey-auth

v1.0.0

Published

API-key authentication for NestJS — opaque hashed-at-rest keys, scopes, expiry, instant revocation, and a default-deny guard for machine & third-party callers.

Readme

nestjs-apikey-auth

API-key authentication for NestJS: opaque, hashed-at-rest keys with scopes, optional expiry, and instant revocation, behind a default-deny guard — for machine, service, and third-party callers. Wired with a single forRoot().

🔆 ESM-only. Requires Node ≥ 20 and NestJS 10 / 11.

This is the machine / third-party half. For human user sessions use the siblings: stateless JWTs (nestjs-jwt-guard) or opaque login tokens (nestjs-oauth2-password). They compose — run an API-key guard and a user-session guard side by side.

Why

An API key is a pre-shared, long-lived secret minted out-of-band (a dashboard) — no login flow, and the principal is an app or service, not a logged-in user. That makes it the right tool for service-to-service calls, a public/partner API (per-key identity, scopes, instant revoke), webhooks, and CLI/CI (MYAPP_API_KEY in an env var) — exactly where a JWT's short TTL + refresh dance is friction.

Keys are opaque and looked up by hash on every request, so revocation is instant and the key's state is always live. The package mints keys and runs the flow; you own persistence (so revocation is real). Keys are stored as a SHA-256 hash — never in plaintext.

Don't use an API key for browser SPAs / end-users (a key can't be hidden client-side → use a user-session token).

Install

npm install nestjs-apikey-auth

@nestjs/common, @nestjs/core, and reflect-metadata are peer dependencies (already in any Nest app).

Quick start

Register once — it registers the guard globally. Every route now requires Authorization: ApiKey <key>:

import { Module } from '@nestjs/common';
import { ApiKeyModule } from 'nestjs-apikey-auth';
import { ApiKeyStoreService } from './apikey-store.service';

@Module({
  imports: [
    ApiKeyModule.forRootAsync({
      inject: [ApiKeyStoreService],
      useFactory: (store: ApiKeyStoreService) => ({ store }),
    }),
  ],
})
export class AppModule {}

Issue a key (e.g. from an admin endpoint) — the raw key is returned once; only its hash is stored:

import { ApiKeyService } from 'nestjs-apikey-auth';

constructor(private readonly apiKeys: ApiKeyService) {}

async createKey(ownerId: string) {
  const { key } = await this.apiKeys.issue(
    { id: crypto.randomUUID(), ownerId, scopes: ['billing:read'], name: 'CI deploy key' },
    { prefix: 'sk_live' }, // → "sk_live_<256-bit>"
  );
  return { apiKey: key }; // show once — you cannot recover it later
}

Protect routes, exempt public ones with @Public(), gate by scope with @RequireScopes(), and read the key with @ApiKey():

import { ApiKey, Public, RequireScopes, type ApiKeyRecord } from 'nestjs-apikey-auth';

@Public()
@Get('health')
health() { return { ok: true }; }

@RequireScopes('billing:read')        // valid key lacking the scope ⇒ 403
@Get('invoices')
invoices(@ApiKey() key: ApiKeyRecord) {
  return this.invoices.forOwner(key.ownerId);
}

A missing/invalid/expired key ⇒ 401; a valid key without a required scope ⇒ 403.

The store seam

The package stores nothing — you implement one ApiKeyStore, backed by your DB. Look up by hash (hashApiKey is exported), and persist only the hash:

import { Injectable } from '@nestjs/common';
import {
  type ApiKeyRecord,
  type ApiKeyStore,
  type IssuedApiKey,
} from 'nestjs-apikey-auth';

@Injectable()
export class ApiKeyStoreService implements ApiKeyStore {
  constructor(private readonly db: PrismaService) {}

  async findByHash(hash: string): Promise<ApiKeyRecord | null> {
    const row = await this.db.apiKey.findFirst({ where: { keyHash: hash, revokedDate: null } });
    return row && { id: row.id, ownerId: row.ownerId, name: row.name, scopes: row.scopes, expiryDate: row.expiryDate };
  }

  save(key: IssuedApiKey) {              // optional — used by ApiKeyService.issue
    return this.db.apiKey.create({ data: { ...key } });
  }

  revoke(id: string) {                  // instant — takes effect next request
    return this.db.apiKey.update({ where: { id }, data: { revokedDate: new Date() } });
  }

  touch(id: string, at: Date) {         // optional — last-used, called fire-and-forget
    return this.db.apiKey.update({ where: { id }, data: { lastUsedDate: at } });
  }
}

Mint and hash keys yourself (without ApiKeyService) using the exported generateApiKey / hashApiKey / parseDisplayPrefix — they're framework-free, so they also work in a Lambda or CLI.

Scopes

scopes are opaque strings on each key. @RequireScopes(a, b) requires all of them (AND). Wildcards: a granted '*' satisfies anything; a granted 'billing:*' satisfies 'billing:read', 'billing:write', … Matching is case-sensitive.

Scopes compose with nestjs-accesscontrol and are orthogonal: scopes gate which keys may call an endpoint; access-control gates what the resolved principal may do. Use a resolvePrincipal callback to also populate req.user from a key for the authZ layer.

Configuration

ApiKeyModule.forRoot({
  store,                         // your ApiKeyStore (required)
  header: 'Authorization',       // header to read (default)
  scheme: 'ApiKey',              // auth scheme; '' reads the raw header value (default 'ApiKey')
  allowQuery: false,             // also accept ?api_key=… — leaks to logs (default false)
  queryParam: 'api_key',         // query param name when allowQuery (default)
  extractors: undefined,         // custom ordered extractors; overrides header/query entirely
  attachTo: 'apiKey',            // request property the key record is attached to (default)
  resolvePrincipal: undefined,   // optional: (record) => req.user
  registerGuard: true,           // register the guard globally via APP_GUARD (default)
  isGlobal: true,                // module is global (default)
});

| Option | Default | Description | | --- | --- | --- | | store | — | Your ApiKeyStorefindByHash / revoke / optional touch / optional save (required). | | header | 'Authorization' | Header the key is read from. | | scheme | 'ApiKey' | Auth scheme/prefix (case-insensitive); '' reads the raw header value. | | allowQuery | false | Also accept the key from a query param (it leaks into logs — opt-in). | | queryParam | 'api_key' | Query param name when allowQuery. | | extractors | header (+ query) | Ordered extractors, first non-empty wins; overrides header/query when set. | | attachTo | 'apiKey' | Request property the key record is attached to. | | resolvePrincipal | — | Resolve the record to a principal attached at req.user. | | registerGuard | true | Register the guard globally via APP_GUARD. | | isGlobal | true | Register the module globally. |

Per-route use

Disable the global guard (registerGuard: false) and apply per-controller — the guard is exported:

@UseGuards(ApiKeyGuard)
@Controller('partner')
export class PartnerController {}

API

Module & enforcement

| Export | Description | | --- | --- | | ApiKeyModule.forRoot(options) / forRootAsync(options) | Configure the store + behavior. See Configuration. | | ApiKeyGuard | The default-deny guard. Global by default; exported for per-route @UseGuards. | | ApiKeyService | issue(record, generate?){ key, issued }, revoke(id). | | @Public() · @RequireScopes(...) · @ApiKey() | Exempt a route · require scopes (403) · inject the key record. | | IS_PUBLIC_KEY · REQUIRE_SCOPES_KEY | Metadata keys (for custom reflection). |

Helpers (framework-free) & advanced

| Export | Description | | --- | --- | | generateApiKey({ prefix?, bytes? }) | Mint a labelled, high-entropy opaque key (default 256-bit). | | hashApiKey(key) | SHA-256 hex — store & look up keys by this. | | parseDisplayPrefix(key, headChars?) | Non-secret leading slice for dashboards. | | scopeSatisfies(required, granted) · isExpired(date, now?) | Scope-matching & expiry helpers. | | headerExtractor(header, scheme) · queryExtractor(param) | Build custom extractors. | | APIKEY_OPTIONS · resolveOptions(options) | DI token & options resolver. |

TypesApiKeyStore, ApiKeyRecord, IssuedApiKey, AuthenticatedRequest, ApiKeyOptions, ApiKeyAsyncOptions, ApiKeyBehavior, ApiKeyProviders, ResolvedApiKeyOptions, ApiKeyExtractor, GenerateApiKeyOptions.

Related Projects

License

MIT © Onur Yıldırım