Releases: rameerez/api_keys
Release list
v0.3.0
Highlights
Major release adding Stripe-style key types with permission ceilings, environment isolation (test/live), and a security fix for scope enforcement.
New Features
- Stripe-style key types โ publishable (
pk_*) and secret (sk_*) keys with per-type permission ceilings - Environment isolation โ test/live key prefixes (
pk_test_,sk_live_) with strict environment enforcement - Public key token storage โ non-revocable publishable keys can be viewed again in the dashboard
- Headless helpers โ for apps with custom dashboard integrations
- Usage analytics scopes โ admin dashboard query helpers
Fixes
- Fix PostgreSQL
FOR UPDATEwithCOUNTaggregate error - Security: Fix blank scopes bypass in key_types mode โ empty scopes no longer grant unrestricted access when permission ceilings are configured
What's Changed
- Ensure comprehensive testing and production readiness by @rameerez in #5
- Add Stripe-style key types and environments (publishable/secret keys with test/live isolation) by @rameerez in #6
- Fix PostgreSQL FOR UPDATE with COUNT aggregate error by @rameerez in #7
- Add public key token storage for non-revocable publishable keys by @rameerez in #8
- Add headless helpers for custom dashboard integrations by @rameerez in #9
- Add usage analytics scopes for admin dashboards by @rameerez in #10
- Fix blank scopes bypass in key_types mode by @rameerez in #11
Full Changelog: v0.2.1...v0.3.0
Production-readiness review (2026-07-07)
Full release review ahead of the RubyGems push and the RailsFast v1.0.0 integration โ verdict: GO. (At review time 0.3.0 was tagged but not yet on RubyGems, so Bundler still resolved 0.2.1.) Everything below was verified empirically inside a fresh RailsFast app โ Ruby 4.0.5 / Rails 8.1.3 / PostgreSQL with uuid primary keys โ not just the gem's own suite:
- Install path:
rails generate api_keys:installcorrectly picks up the host app'sprimary_key_type(uuid) for both the table and the polymorphic owner FK, andjsonbon PostgreSQL. - Auth matrix (integration-tested): missing/garbage/truncated tokens โ
missing_token/invalid_token; revoked โrevoked_key; expired โexpired_key;Bearerand rawAuthorizationheader forms both accepted;authenticate_api_key!(scope:)gates enforced (missing_scope); simple mode's "no scopes = unrestricted" default confirmed. The documentedActionController::API+include ApiKeys::Controllerpattern works as advertised on Rails 8.1. - Security spot-checks: plaintext is never persisted (stored digest ==
SHA256(token),#tokennil after reload); publishable-key plaintext storage is correctly double-gated onpublic: trueandrevocable: false; the dashboard is fully owner-scoped (a cross-user access probe was rejected); revocation lag is bounded by the 5-second defaultcache_ttl; token entropy is 24 random bytes (~192 bits) with the default:sha256strategy giving O(1) indexed lookup. - Dashboard: Devise-authenticated mount, key minting through the UI (blank form scopes cleaned), show-once plaintext, revoke flow โ all green.
- Boot/deploy gates: host-app suite green with the gem enabled (235 runs, 0 failures), zeitwerk production-parity eager load clean,
assets:precompilewith no reachable database exits 0 (Docker image builds are safe), and a fullRAILS_ENV=productioneager-loaded boot verified end to end. - Package:
gem buildproduces a clean package โ 61 files, zero test/dummy leakage. - CI: matrix green on Ruby 3.3 / 3.4 / 4.0 ร Rails 7.2 / 8.1.
Non-blocking hardening and polish follow-ups from the review are tracked in #12.
v0.2.1
#4 Fixes a production error that was caused by SecurityController referencing a non-existent callback :authenticate_api_keys_user! instead of the correct :authenticate_api_keys_owner! defined in ApplicationController
For searchability, the verbatim error was:
Before `process_action` callback `:authenticate_api_keys_user!` has not been defined
User-agnostic API key owner
- Make gem owner-agnostic: API keys can now belong to any model (User, Organization, Team, etc.)
- Add flexible dashboard configuration for custom owner models
- Add support for multi-tenant and team-based API key ownership
- Improve documentation with common ownership scenarios
- Add configuration options for current_owner_method and authenticate_owner_method
๐ Initial release!
Initial release:
- Issue new keys
- Secure store of hashed digest
- Sensible, secure defaults
- Self-serve dashboard mountable via Rails engine
- Revoke keys, expire tokens, etc.