public active Last verified 2026-03-29

API Keys

Central API key model, scope ownership, and resource binding behavior across Topolo services.

Owners
identity-platform
Source Repos
Applications/TopoloAuth, Applications/TopoloOne, Websites/docs
Systems
Topolo Auth, TopoloOne, Topolo Platform
Tags
api-keys, security, platform

Ownership

API key scope definitions and resource-binding catalogs are centrally served by Topolo Auth. TopoloOne consumes that metadata to create and manage keys without maintaining hardcoded per-application scope lists.

Key model

Each key has:

  • an owning organization
  • a target service
  • an explicit scope set
  • optional resource bindings
  • lifecycle state such as active or revoked

Resource bindings

Some services support resource-level constraints. In those cases, Topolo Auth stores a catalog of bindable resources for the service and validates requested bindings at key creation time.

Current consumer flow

  1. TopoloOne loads the list of services from Auth.
  2. TopoloOne requests API key scopes from Auth for the selected service.
  3. If resource patterns are defined, TopoloOne requests bindable resources from Auth for that service and organization.
  4. Auth validates the resulting key payload and stores the final resource bindings.

Operational note

Resource-binding catalogs are centralized in Auth for consistency and to avoid cross-application browser fetches, CORS coupling, and UI-specific duplication.