Validate API key

Validates a plaintext API key supplied in the x-api-key header. The key is hashed before lookup. If the api_keys record exists, is active, has not expired, and has not exhausted its usage limit, the response returns the owning user UUID and tenant from that record. This route is the credential validation endpoint itself and does not require a separate session, tenant header, or RBAC permission.

Header parameters

x-api-keystringRequired

Plaintext API key to validate. The service hashes this value before looking up the api_keys record.

Response body

Success response 200 · schema ValidateApiKeyResponse

isValidbooleanRequired

Indicates that the API key is active and valid.

Enum: true

userIdstring <uuid>Required

UUID of the user who owns the API key, from api_keys.user_id.

tenantstringRequired

Tenant identifier scoped to this API key, from api_keys.tenant.

Response codes

200

API key is valid and active.

401

The x-api-key header is missing, or the key is invalid, inactive, expired, or usage-exhausted.

500

Unexpected error while validating the API key.

POST /api/auth/validate-api-key

cURL

curl -X POST "https://algapsa.com/api/auth/validate-api-key" \
  -H "X-API-Key: $ALGA_API_KEY"

TypeScript

const response = await fetch("https://algapsa.com/api/auth/validate-api-key", {
  method: "POST",
  headers: {
    "X-API-Key": "$ALGA_API_KEY",
  }
});
const data = await response.json();

using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Post, "https://algapsa.com/api/auth/validate-api-key");
request.Headers.TryAddWithoutValidation("X-API-Key", "$ALGA_API_KEY");
var response = await client.SendAsync(request);
var body = await response.Content.ReadAsStringAsync();

200 OK·application/json

{
  "isValid": true,
  "userId": "01HN2K7VRB9PQ3Y0000000000",
  "tenant": "string"
}