📌 Description
API keys support hashing, scopes, and rotation, but there is no per-key usage
visibility: when a key was last used, from where, and how often. Operators cannot
identify dormant keys to revoke or spot anomalous usage spikes. This is a common
prerequisite for least-privilege key hygiene.
This issue adds last-used tracking and lightweight usage counters per API key
plus an org-scoped analytics endpoint.
🎯 Requirements and Context
- Track
last_used_at, request count, and last-seen IP per key, updated on the
auth path without adding a synchronous write on every request (batch/throttle
the update).
- Add
GET /api/orgs/:id/api-keys/usage returning per-key usage.
- Must be org-scoped; never expose key material or hashes.
- Updates must not measurably increase auth latency (async/coalesced writes).
🛠️ Suggested Execution
1. Fork the repo and create a branch
git checkout -b feature/api-key-usage-analytics
2. Implement changes
- Add throttled usage updates to
src/services/apiKeys.ts and
src/middleware/apiKeyAuth.ts.
- Add a Knex migration for the usage columns/counters.
- Add the route to
src/routes/apiKeys.ts.
- Add
src/tests/apiKeys.usageAnalytics.test.ts.
- Document in
docs/api-keys.md.
3. Test and commit
- Run:
npm test -- src/tests/apiKeys.usageAnalytics.test.ts
- Cover edge cases: last-used update coalescing, dormant key detection, cross-org
isolation, no key material leaked, counter accuracy under concurrency.
Example commit message
feat: API-key usage analytics with throttled last-used tracking
✅ Guidelines
- Minimum 95% test coverage on new/changed lines.
- No measurable auth-path latency regression; never expose key material.
- Timeframe: 96 hours.
🏷️ Labels
type-feature · type-enhancement · area-backend · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN
💬 Community & Support
- Join the contributor Discord to coordinate, ask questions, and get unblocked fast: https://discord.gg/xvNAvMJf
- Please introduce yourself in the channel before you start so we can avoid duplicate work, pair you with a reviewer, and get your PR merged quickly.
- Maintainers actively triage this channel and aim for fast, clear, respectful reviews — reach out any time you're blocked.
📌 Description
API keys support hashing, scopes, and rotation, but there is no per-key usage
visibility: when a key was last used, from where, and how often. Operators cannot
identify dormant keys to revoke or spot anomalous usage spikes. This is a common
prerequisite for least-privilege key hygiene.
This issue adds last-used tracking and lightweight usage counters per API key
plus an org-scoped analytics endpoint.
🎯 Requirements and Context
last_used_at, request count, and last-seen IP per key, updated on theauth path without adding a synchronous write on every request (batch/throttle
the update).
GET /api/orgs/:id/api-keys/usagereturning per-key usage.🛠️ Suggested Execution
1. Fork the repo and create a branch
2. Implement changes
src/services/apiKeys.tsandsrc/middleware/apiKeyAuth.ts.src/routes/apiKeys.ts.src/tests/apiKeys.usageAnalytics.test.ts.docs/api-keys.md.3. Test and commit
npm test -- src/tests/apiKeys.usageAnalytics.test.tsisolation, no key material leaked, counter accuracy under concurrency.
Example commit message
✅ Guidelines
🏷️ Labels
type-feature·type-enhancement·area-backend·MAYBE REWARDED·GRANTFOX OSS·OFFICIAL CAMPAIGN💬 Community & Support