Microservicessystem_design~25 mins

API key management in Microservices - System Design Exercise

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Design: API Key Management System

Design covers API key lifecycle management, validation, and usage tracking. Does not cover full user authentication or billing systems.

Functional Requirements

FR1: Allow developers to create, view, and revoke API keys

FR2: Support multiple API keys per developer account

FR3: Enforce usage limits per API key (rate limiting)

FR4: Provide secure storage and transmission of API keys

FR5: Allow API keys to be scoped with permissions (read, write, admin)

FR6: Support key expiration and renewal

FR7: Audit logs for key usage and management actions

FR8: Integrate with existing microservices for authentication

Non-Functional Requirements

NFR1: Handle up to 100,000 active API keys

NFR2: API key validation latency under 10ms (p99)

NFR3: System availability 99.9% uptime

NFR4: Secure storage compliant with industry best practices

NFR5: Support horizontal scaling for high request volumes

Think Before You Design

Questions to Ask

❓ Question 1

❓ Question 2

❓ Question 3

❓ Question 4

❓ Question 5

❓ Question 6

Key Components

API Gateway or Authentication Service

API Key Management Service

Database for storing keys and metadata

Cache for fast key validation

Rate Limiter component

Audit Logging Service

Notification system for key expiration alerts

Design Patterns

Token-based authentication

Rate limiting with token bucket or leaky bucket

Caching for low latency validation

Event-driven audit logging

Key rotation and expiration

Reference Architecture

 +-------------------+       +-----------------------+       +------------------+
 |                   |       |                       |       |                  |
 |  API Gateway /    | <---> |  API Key Management    | <---> |  Database (SQL/NoSQL) |
 |  Auth Service     |       |  Service               |       |                  |
 |                   |       |                       |       |                  |
 +-------------------+       +-----------------------+       +------------------+
          |                             |                               |
          |                             |                               |
          v                             v                               v
 +-------------------+       +-----------------------+       +------------------+
 |                   |       |                       |       |                  |
 |  Cache (Redis)    |       |  Rate Limiter         |       |  Audit Logging    |
 |                   |       |                       |       |  Service          |
 +-------------------+       +-----------------------+       +------------------+

Components

API Gateway / Auth Service

Nginx, Envoy, or custom microservice

Intercepts API requests, extracts API key, and forwards for validation

API Key Management Service

Spring Boot, Node.js, or Go microservice

Handles API key creation, revocation, permission assignment, and expiration

Database

PostgreSQL or MongoDB

Stores API keys, metadata, permissions, usage stats

Cache

Redis or Memcached

Caches active API keys and permissions for fast validation

Rate Limiter

Redis-based token bucket algorithm

Enforces usage limits per API key

Audit Logging Service

Elastic Stack or Kafka + storage

Records key usage and management actions for compliance

Notification System

Email/SMS service or webhook

Alerts developers about key expiration or suspicious activity

Request Flow

1. Client sends API request with API key in header

2. API Gateway extracts API key and queries Cache for key validity and permissions

3. If cache miss, API Gateway calls API Key Management Service to validate key from Database

4. API Key Management Service returns key status and permissions

5. API Gateway enforces rate limiting by consulting Rate Limiter

6. If key is valid and under limit, request is forwarded to target microservice

7. API Key usage and request metadata are sent asynchronously to Audit Logging Service

8. Developers can manage keys via API Key Management Service UI or API

Database Schema

Entities: - DeveloperAccount (id, name, email) - APIKey (id, developer_id FK, key_hash, permissions, created_at, expires_at, revoked boolean) - UsageRecord (id, api_key_id FK, timestamp, endpoint, success boolean) - AuditLog (id, api_key_id FK, action, timestamp, details) Relationships: - DeveloperAccount 1:N APIKey - APIKey 1:N UsageRecord - APIKey 1:N AuditLog

Scaling Discussion

Bottlenecks

Cache misses causing high latency key validation

Rate limiter becoming a bottleneck under high request volume

Database write load from usage and audit logs

API Key Management Service handling many concurrent management requests

Solutions

Increase cache size and use TTL to reduce misses; use distributed cache cluster

Shard rate limiter by API key or use local rate limiting with periodic sync

Use write-optimized storage for logs; batch writes and use asynchronous processing

Scale API Key Management Service horizontally with load balancer

Interview Tips

Time: Spend 10 minutes clarifying requirements and constraints, 20 minutes designing architecture and data flow, 10 minutes discussing scaling and trade-offs, 5 minutes summarizing.

Explain how API keys provide secure, scoped access

Discuss caching to meet low latency validation

Describe rate limiting approach and why it's important

Highlight audit logging for security and compliance

Mention horizontal scaling and fault tolerance strategies