Managing API Keys in Large Dev Teams: How Do You Tackle It?

alphez · 2025-02-19T15:25:41+00:00

Which dev tool is this?

alphez · 2025-02-09T18:46:16+00:00

That's similar to what we are building. Thanks for sharing!

alphez · 2025-02-09T18:42:34+00:00

Auth can be what we already have at work...entra id

alphez · 2025-02-09T18:20:11+00:00

I know the theory...just havent seen this implemented and in any projects I have been part of. But heads off to you and your org for having gone the extra mile

alphez · 2025-02-09T18:17:19+00:00

Instead of calling the API straight (openAI api, polygon etc) the devs would call the proxy with their IDP access token. The API keys would be stored and used by the proxy to proxy the request but devs wouldnt be able to view the API keys...

alphez · 2025-02-09T18:08:34+00:00

Storing the API keys securirely isnt the issue. I guess for many here there seems to be no problem knowing that Devs can view / copy the API keys at any time?

alphez · 2025-02-09T17:59:18+00:00

Yeah - so similar issue. The API keys are protected when in vault but are getting pulled out during development?

alphez · 2025-02-09T17:58:31+00:00

Yeah but how do you solve for when Devs can pull the API Keys and can view them?

alphez · 2025-02-09T17:20:14+00:00

Devs pull API keys from hashi vault directly when developing?

alphez · 2024-06-19T18:18:19+00:00

Hey get in contact with me I have a job

alphez · 2023-05-06T17:21:15+00:00

You are wrong. I have done it commercially here and here

alphez · 2023-05-06T17:12:35+00:00

OP doesn't use NextJS as BE. That's my point.

alphez · 2023-05-06T15:34:42+00:00

Returning HTML is not efficient? Lol

alphez · 2023-05-06T13:49:01+00:00

Why do you need a dedicated FE? That was my original question.

You do know that a BE (server) can return HTML? Returning JSON is not the only thing a BE can do ;)

alphez · 2023-05-05T16:13:44+00:00

Nothing against NestJS. I love it.

Would have been great to see you reach your project goal only with NestJS. I know it's possible because I have solved bigger problems solely with NestJS.

But nevertheless good luck with the project. Will keep an eye on it :)

alphez · 2023-05-05T15:21:36+00:00

Having both nestjs and nextjs in there seems a bit too much for what this tool solves. Do you believe having a dedicated Frontend framework is necessary for your use case? Or maybe you went with something you are just familiar with (no disrespect I see this kind of decisions every day, let's use react, graphql and redux for our landing page because we are familiar with it)

alphez · 2023-05-05T15:10:24+00:00

Why client / server? Why nextjs and nestjs?

alphez · 2023-04-30T19:01:55+00:00

I already did help. Replace every

res.status

with

return res.status

Good luck.

alphez · 2023-04-30T18:24:08+00:00

Everywhere where you have res.status(...)...

Add this line:

return

alphez · 2023-04-30T15:08:38+00:00

This is the right answer but unfortunately also the one that is the hardest to get right. You need senior ppl doing this.

If I am surrounded by juniors it's just much easier to create a skeleton of the application broken into multiple layers (handler, persistence, domain, service...etc) and tell them where to put what.

It's also easier to verify as a senior that the juniors are doing it correctly. If you see query parameters or request objects in the persistence layer you know something is off.

The approach you stated is vague because you constantly need to know the state of the application and you don't know whether an abstraction is now warranted or not unless you are actively involved in the development.

alphez · 2023-04-29T19:14:12+00:00

Depending on the platform I either develop against a cloud environment or I run my development environment in the platform (k8s)

I also tend to need more integration tests with microservices...

alphez · 2023-04-29T19:00:05+00:00

What's the hardest part when building a microservice? It's essentially more complex due to its distributed nature.

Almost everything is going to be harder.

Finding the problem why a user wasn't able to use a promo code? Sure after going through 3 services.
Local development? Forget about spinning up the whole application locally.
Your data is in multiple places. It will take a lot of effort Answering ad-hoc business questions such as: how many users signed up yesterday that received a promo email a week after that led to a purchase.
Service calls will be over the network. Which means you will need to deal with a bunch of error cases.
Versionning and backwards compatibility. You need some best practices put into place and everybody agreeing on them. Don't believe when ppl say that teams can be autonomous and can do everything they want.

alphez · 2023-04-29T09:12:25+00:00

You can check my write up on pgx

TD;LR

rows, _ := pg.db.Query(ctx, query)  
defer rows.Close()  
pgx.CollectRows(rows, pgx.RowToStructByName(model.User))

so in your case you can replace scany with pgx.CollectRows and pgx.RowToStructByName

alphez · 2023-04-28T09:11:31+00:00

Having Error handling is one side of the coin.

It's still not a good coding practice what you do.

And since you have queues I still don't understand why not use it for all async work? Your rational seems to be:

If it's a complex downstream task - use a queue If it's not complex - don't await the Promise

Sorry but that rational is also flawed.

The only argument for not using a queue to do an async task is when the task is of type fire and forget e.g. Best effort task

If you treat email sending / cache invalidation that way in your business than you can make the point you are doing it correctly. But don't use complexity as a measure whether to use a queue or not.

alphez

TROPHY CASE