Skip to content

Add organization-scoped API-key usage analytics and last-used tracking to src/services/apiKeys.ts #855

Description

@1nonlypiece

📌 Description

API keys support hashing, scopes, and rotation, but there is no per-key usage
visibility: when a key was last used, from where, and how often. Operators cannot
identify dormant keys to revoke or spot anomalous usage spikes. This is a common
prerequisite for least-privilege key hygiene.

This issue adds last-used tracking and lightweight usage counters per API key
plus an org-scoped analytics endpoint.

🎯 Requirements and Context

  • Track last_used_at, request count, and last-seen IP per key, updated on the
    auth path without adding a synchronous write on every request (batch/throttle
    the update).
  • Add GET /api/orgs/:id/api-keys/usage returning per-key usage.
  • Must be org-scoped; never expose key material or hashes.
  • Updates must not measurably increase auth latency (async/coalesced writes).

🛠️ Suggested Execution

1. Fork the repo and create a branch

git checkout -b feature/api-key-usage-analytics

2. Implement changes

  • Add throttled usage updates to src/services/apiKeys.ts and
    src/middleware/apiKeyAuth.ts.
  • Add a Knex migration for the usage columns/counters.
  • Add the route to src/routes/apiKeys.ts.
  • Add src/tests/apiKeys.usageAnalytics.test.ts.
  • Document in docs/api-keys.md.

3. Test and commit

  • Run: npm test -- src/tests/apiKeys.usageAnalytics.test.ts
  • Cover edge cases: last-used update coalescing, dormant key detection, cross-org
    isolation, no key material leaked, counter accuracy under concurrency.

Example commit message

feat: API-key usage analytics with throttled last-used tracking

✅ Guidelines

  • Minimum 95% test coverage on new/changed lines.
  • No measurable auth-path latency regression; never expose key material.
  • Timeframe: 96 hours.

🏷️ Labels

type-feature · type-enhancement · area-backend · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN

💬 Community & Support

  • Join the contributor Discord to coordinate, ask questions, and get unblocked fast: https://discord.gg/xvNAvMJf
  • Please introduce yourself in the channel before you start so we can avoid duplicate work, pair you with a reviewer, and get your PR merged quickly.
  • Maintainers actively triage this channel and aim for fast, clear, respectful reviews — reach out any time you're blocked.

Metadata

Metadata

Assignees

Labels

GRANTFOX OSSGrantFox open-source campaignMAYBE REWARDEDEligible for GrantFox rewardOFFICIAL CAMPAIGNOfficial GrantFox campaign issueStellar WaveIssues in the Stellar wave programarea-backendBackend / API worktype-enhancementImprovement to existing functionalitytype-featureNew feature work
No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions