Forem: Guillermo Olcina Martínez The latest articles on Forem by Guillermo Olcina Martínez (@guiolmar). https://forem.com/guiolmar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3257712%2F163652a6-7cb1-4218-91c6-f56424bb68d4.jpeg Forem: Guillermo Olcina Martínez https://forem.com/guiolmar en How to Protect Your FastAPI Public API with API Keys Guillermo Olcina Martínez Tue, 05 Aug 2025 10:32:34 +0000 https://forem.com/guiolmar/how-to-protect-your-fastapi-public-api-with-api-keys-3c7c https://forem.com/guiolmar/how-to-protect-your-fastapi-public-api-with-api-keys-3c7c <p>FastAPI is a powerful web framework for building APIs quickly and efficiently in Python. But once your API is public, you’ll want to protect it from abuse. One simple and effective way is using <strong>API Keys</strong>.</p> <p>In this post, I’ll show you how to set up basic API Key validation in FastAPI.</p> <h2> 🔐 Why API Keys? </h2> <p>API Keys let you:</p> <ul> <li>Identify the client making requests</li> <li>Limit usage (rate limiting, quota)</li> <li>Disable keys without affecting others</li> <li>Secure endpoints behind access controls</li> </ul> <h2> 🛠️ Step 1: Define Your API Key Dependency </h2> <p>We'll use FastAPI's dependency injection system to require API keys on specific routes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Header</span><span class="p">,</span> <span class="n">status</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">API_KEYS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">123456</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">abcdef</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">my-secret-key</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># Normally load this from a database or environment </span> <span class="k">def</span> <span class="nf">verify_api_key</span><span class="p">(</span><span class="n">x_api_key</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(...)):</span> <span class="k">if</span> <span class="n">x_api_key</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">API_KEYS</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_401_UNAUTHORIZED</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid or missing API Key</span><span class="sh">"</span> <span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/public</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">public_endpoint</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">This is public</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/protected</span><span class="sh">"</span><span class="p">,</span> <span class="n">dependencies</span><span class="o">=</span><span class="p">[</span><span class="nc">Depends</span><span class="p">(</span><span class="n">verify_api_key</span><span class="p">)])</span> <span class="k">def</span> <span class="nf">protected_endpoint</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">You have access with a valid API key</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h2> 🧪 Testing </h2> <p>You can test it with <code>curl</code> or Postman:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8000/protected <span class="nt">-H</span> <span class="s2">"x-api-key: 123456"</span> </code></pre> </div> <p>If the key is valid, you’ll get access. Otherwise, a 401 Unauthorized response.</p> <h2> 📦 Optional: Use Limitly to Manage Keys, Limits &amp; Plans </h2> <p>If you're building a commercial API and want to manage API keys, track usage, and set limits without building it from scratch — check out <a href="https://app.limitly.dev/" rel="noopener noreferrer">Limitly</a>.</p> <p>It’s a plug-and-play API access manager that works great with FastAPI.</p> <h2> 🚀 Final Thoughts </h2> <p>This approach is simple and scalable for small to medium APIs. For more advanced use cases, you can:</p> <ul> <li>Store keys in a database</li> <li>Add rate-limiting</li> <li>Track usage per key</li> <li>Disable compromised keys dynamically</li> </ul> <p>Protect your API early — it’s better than handling abuse later.</p> <p>Happy coding! 🧑‍💻</p> fastapi python backend webdev How to Secure Your Public API in Next.js Using API Keys Guillermo Olcina Martínez Tue, 05 Aug 2025 10:30:44 +0000 https://forem.com/guiolmar/how-to-secure-your-public-api-in-nextjs-using-api-keys-356m https://forem.com/guiolmar/how-to-secure-your-public-api-in-nextjs-using-api-keys-356m <p>Exposing API routes publicly in your Next.js app can be dangerous if you don't protect them properly. If you're building something like a public-facing SaaS, internal tools, or microservices, validating API keys is a simple and effective way to protect your endpoints.</p> <p>In this post, you'll learn how to secure your <code>/api</code> routes using API keys with minimal code.</p> <h2> 🔐 Step 1: Generate and store your API keys </h2> <p>In a real-world scenario, you'd generate an API key for each client/user and store it securely in your database. But for the purpose of this example, we'll hardcode a key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/validateApiKey.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">isValidApiKey</span> <span class="o">=</span> <span class="p">(</span><span class="nx">key</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">validKeys</span> <span class="o">=</span> <span class="p">[</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_API_KEY</span><span class="p">];</span> <span class="k">return</span> <span class="nx">key</span> <span class="o">&amp;&amp;</span> <span class="nx">validKeys</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Don't forget to set your <code>INTERNAL_API_KEY</code> in <code>.env.local</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INTERNAL_API_KEY=your-secret-key </code></pre> </div> <h2> 🧩 Step 2: Add middleware to protect routes </h2> <p>Next.js supports <a href="https://nextjs.org/docs/app/building-your-application/routing/middleware" rel="noopener noreferrer">Edge Middleware</a> and route handlers. For this guide, we'll use a simple pattern in an API route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// pages/api/secure.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">NextApiResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">isValidApiKey</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/validateApiKey</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">NextApiResponse</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">]</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isValidApiKey</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access granted 🎉</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>You can now test it using curl or Postman:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"x-api-key: your-secret-key"</span> http://localhost:3000/api/secure </code></pre> </div> <h2> ✅ Best Practices </h2> <ul> <li>Use a proper database to store keys, and hash them if possible.</li> <li>Rotate and expire keys.</li> <li>Assign scopes or permissions to different API keys.</li> <li>Monitor usage and rate limit requests per key.</li> </ul> <h2> 🛠️ Looking for a managed solution? </h2> <p>If you're building a SaaS or API-first product and don't want to handle all of this manually, check out <a href="https://app.limitly.dev" rel="noopener noreferrer">Limitly</a>. It helps you manage API keys, enforce rate limits, and track usage — all via a simple SDK.</p> <p>Happy building! 🚀</p> api webdev nextjs programming 🔐 How to Protect Your Public Express API Using API Keys Guillermo Olcina Martínez Tue, 05 Aug 2025 10:26:52 +0000 https://forem.com/guiolmar/how-to-protect-your-public-express-api-using-api-keys-11e8 https://forem.com/guiolmar/how-to-protect-your-public-express-api-using-api-keys-11e8 <p>If you're building an API in Express.js and plan to expose it publicly — maybe to clients, third-party devs, or internal tools — you <em>need</em> some way to control access.</p> <p>One of the most common and effective ways to do this is using <strong>API keys</strong>.</p> <p>In this post, I’ll walk you through a simple way to implement API key protection in your Express API. No fancy gateways, no unnecessary bloat — just straightforward logic you can build on.</p> <h2> 🚧 Why API Keys? </h2> <p>API keys are unique tokens (usually strings) that your users include in their requests. You can:</p> <ul> <li>Identify who's calling your API.</li> <li>Set limits (like 1,000 requests per day).</li> <li>Revoke keys if needed.</li> <li>Analyze usage by key/project/client.</li> </ul> <p>Perfect for public or semi-public APIs that don’t need full OAuth complexity.</p> <h2> 🛠️ Basic API Key Middleware in Express </h2> <p>Here’s a minimal implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// middleware/apiKey.js</span> <span class="kd">const</span> <span class="nx">validApiKeys</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">abc123</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// In real use, store these in a DB</span> <span class="dl">'</span><span class="s1">def456</span><span class="dl">'</span><span class="p">,</span> <span class="p">];</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">apiKeyMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">apiKey</span> <span class="o">||</span> <span class="o">!</span><span class="nx">validApiKeys</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>And in your Express app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">apiKeyMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./middleware/apiKey.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api</span><span class="dl">'</span><span class="p">,</span> <span class="nx">apiKeyMiddleware</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello, world!</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server running on port 3000</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <h2> 🧠 A Few Tips </h2> <ul> <li>Store API keys in a <strong>database</strong> (with metadata like usage, owner, status).</li> <li>Add <strong>rate limiting</strong> to prevent abuse.</li> <li>Consider <strong>rotating</strong> keys over time.</li> <li>Log each request to track usage per key.</li> </ul> <h2> ⚡ Want to Skip the Boilerplate? </h2> <p>If you don’t want to build all this from scratch, you can use a tool like <a href="https://app.limitly.dev/" rel="noopener noreferrer">Limitly</a> — it handles API key creation, validation, usage limits (daily, weekly, etc.), and request tracking with an SDK you can plug into your Express app.</p> <p>I built it because I was tired of reinventing this every time I launched an API.</p> <p>Let me know if you use a different method or have feedback — always happy to learn new approaches!</p> api programming webdev express Supadex: A Mobile Dashboard for Supabase Developers 🚀 Guillermo Olcina Martínez Wed, 11 Jun 2025 10:13:45 +0000 https://forem.com/guiolmar/supadex-a-mobile-dashboard-for-supabase-developers-5973 https://forem.com/guiolmar/supadex-a-mobile-dashboard-for-supabase-developers-5973 <p>Hey DEV community! 👋</p> <p>If you’re building apps with <strong>Supabase</strong>, you know how powerful it is as a Postgres-based backend. But what if you could <strong>monitor and manage your Supabase projects directly from your phone</strong>?</p> <p>That’s exactly why I built <strong>Supadex</strong> — a mobile companion for developers who want real-time visibility and control over their Supabase instances, even when they’re away from their laptop.</p> <h2> 🚦 Why Supadex? </h2> <p>Supabase is amazing, but if you've ever tried to quickly check a query result or manage a storage bucket while commuting or in a meeting, you know it's not super mobile-friendly.</p> <p>Supadex solves that.</p> <p>With Supadex, you get a <strong>native mobile dashboard</strong> that connects securely to your Supabase projects and offers:</p> <ul> <li>🔍 <strong>Real-time Analytics</strong>: Keep an eye on REST and Auth requests, track usage, and monitor active users — all from your phone.</li> <li>🗃️ <strong>Database Management</strong>: Browse tables, write SQL, save your favorite queries, and run them on the go.</li> <li>📁 <strong>Storage Tools</strong>: Navigate buckets, manage files, share public URLs — faster than opening your laptop.</li> <li>🔒 <strong>Privacy-first Approach</strong>: Tokens are stored <em>locally</em> only. No data collection, no tracking. You stay in control.</li> <li>⚙️ <strong>Developer Quality of Life</strong>: Multi-project support, dark mode, and real-time updates with a smooth interface.</li> </ul> <h2> 👨‍💻 Who is Supadex for? </h2> <ul> <li>Supabase developers (obviously)</li> <li>Backend engineers working remotely or on-call</li> <li>DevOps folks who need to check logs/stats quickly</li> <li>Full-stack devs who don’t want to SSH into a VPS just to check a DB</li> <li>Anyone who builds side-projects and wants easy access to Supabase on mobile</li> </ul> <h2> 📲 Pricing </h2> <p>Supadex is a premium tool, but it comes with flexible options:</p> <ul> <li>$3.99/month</li> <li>$39.99/year</li> <li>Or a $79.99 lifetime plan</li> </ul> <p>Think of it as paying for peace of mind (and fewer rushed logins to the Supabase web UI in weird places 😅).</p> <h2> 🔗 Try it out </h2> <p>If you use Supabase regularly and want more control on the go, give <strong>Supadex</strong> a try. I’d love your feedback or suggestions — I’m actively improving it!</p> <p>→ <a href="https://apps.apple.com/es/app/supadex-monitor-for-supabase/id6741071194" rel="noopener noreferrer">Download Supadex on the App Store 🍎</a><br><br> → <a href="https://play.google.com/store/apps/details?id=com.guiolmar.supadex" rel="noopener noreferrer">Download Supadex on the Play Store 🤖</a><br><br> → <a href="https://www.supadex.app" rel="noopener noreferrer">Visit the website</a></p> <p>Let me know what you think — happy to answer any questions or dive into how I built it, if that’s helpful!</p> <p>Cheers,<br><br> <em>– Guillermo Olcina</em> 🧑‍💻</p> supabase database postgres reactnative