SKILL-008 APIs, integrations, and automation Locked skill

API keys

Store only a hash of the key, never the key itself — show the raw secret exactly once, then you can never recover it (and neither can an attacker who reads your database).

01

What this skill helps you build

Issue programmatic API keys the right way — generated server-side, hashed at rest, shown once, scoped, rotatable, and revocable.

The production takeaway

Store only a hash of the key, never the key itself — show the raw secret exactly once, then you can never recover it (and neither can an attacker who reads your database).

02

Inside this skill

The full skill expands these implementation areas with decisions, edge cases, prompts, tests, and framework-specific code.

APIs, integrations, and automation
What this helps you build

Long lived API keys that let other programs authenticate to your app — the sk live … style secrets you hand to a customer's backend, a CI job, or a CLI. You'll generate them with r

🔒
APIs, integrations, and automation
When to use this

Reach for API keys when something that isn't a human in a browser needs to call your app: A customer's server integrating with your API webhooks, data sync . A CLI or SDK your user

🔒
APIs, integrations, and automation
The core idea

An API key is a bearer secret : whoever holds it is treated as the owner, so the secret is the whole identity. That forces three rules. 1. Generate it server side with real entropy

🔒
03

Unlock the full implementation

Paid access includes the complete skill body, implementation prompt, common mistakes, production checklist, and code examples where this skill includes them.