Ezzy

API keys

Project-scoped API keys for blogs and announcements APIs.

API keys are project-scoped. They authenticate requests to the public APIs (blogs, announcements popup/carousel, etc.) and are created and revoked from the profile page.

Data model

Table apiKeys: userId, projectId, keyHash (SHA-256), keyPrefix (e.g. sk_live_ for display), optional name, lastUsedAt, createdAt. Full key is shown only once at creation.

Convex API (convex/apiKeys.ts)

  • generateApiKey — Create key for a project (returns full key once; caller must store it).
  • listApiKeys — List user's keys (prefix, name, dates; no full key).
  • deleteApiKey — Revoke a key.
  • validateApiKey — Check key, return userId, projectId, apiKeyId for API routes.
  • updateApiKeyLastUsed — Update last-used timestamp.

Using API keys in requests

Send the key in one of two ways:

  • X-API-Key header: X-API-Key: sk_live_...
  • Authorization header: Authorization: Bearer sk_live_...

All public API routes (/api/v1/blogs, /api/v1/announcements/popup, /api/v1/announcements/carousel) use this. The key determines the project context (e.g. which blog/announcement data is returned).

App usage

From Profile you create API keys per project, name them, copy the key once, and delete keys when no longer needed.

Announcements

Pop-up and carousel announcements linked to blog posts.

Blogs

Rich-text posts with TipTap and public API.