Key Delegation & Rate Limiting
Delegate key creation authority to non-root keys and set rate limits per key.
What you'll learn
- ✓admin:api-keys scope allows key creation — only with equal or narrower scopes
- ✓delegatable_scopes field limits what a delegated key can create
- ✓rate_limit_rps — requests per second limit per key
- ✓GET /v1/admin/api-keys/:id/stats — usage statistics
- ✓429 Too Many Requests when rate limit exceeded
Create a key with rate_limit_rps: 5. Send 10 rapid requests. Observe 429 after the 5th.
Interactive Walkthrough
What you'll learn
Delegate key creation authority to non-root keys, and set rate limits per key.
Delegated key creation
A key with admin:api-keys scope can create other keys, but only with equal or narrower scopes:
`bash
# Create a key-manager key (can only create query keys)
curl -s -X POST http://localhost:7475/v1/admin/api-keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
-d '{
"name": "key-manager",
"scopes": ["admin:api-keys", "query:*"],
"delegatable_scopes": ["query:*"]
}' | python3 -m json.tool
# key-manager creates a sub-key (can only have query:* — cannot escalate)
curl -s -X POST http://localhost:7475/v1/admin/api-keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer spx_sk_KEY_MANAGER_KEY" \
-d '{"name": "dashboard-reader", "scopes": ["query:*"]}' \
| python3 -m json.tool
`
Rate limiting
curl -s -X POST http://localhost:7475/v1/admin/api-keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
-d '{
"name": "rate-limited-service",
"scopes": ["strand:write"],
"rate_limit_rps": 100
}' | python3 -m json.toolCheck usage stats
curl -s http://localhost:7475/v1/admin/api-keys/key_a1b2c3d4/stats \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
| python3 -m json.toolChallenge
Create a key with rate_limit_rps: 5. Write a loop that makes 10 calls in rapid succession. Observe that calls after the 5th are rate-limited (429 responses).
---