Managing API Keys and Projects - Bud Stack Documentation

Why this guide matters

Projects and API keys are the two most important control surfaces for access governance in Customer Dashboard.

Project design recommendations

Use consistent naming (team-workload-environment).
Keep prod and non-prod in separate projects.
Add tags for cost center, owner, and compliance domain.

API key lifecycle

Create

Create keys per service integration, not per individual user.
Set explicit expiry dates where possible.

Store

Store keys only in secure secret managers.
Never embed keys in frontend bundles or repos.

Rotate

Rotate regularly and after personnel or ownership changes.
Prefer dual-key rotation windows to avoid downtime.

Revoke

Revoke immediately if compromise is suspected.
Remove unused keys to minimize attack surface.

Common workflows

Create project for a new product surface.
Create API key scoped to that project.
Deploy with secure secret injection.
Track last used and expiry from API key table.
Rotate or revoke based on lifecycle policy.

Validation checklist

Every key is mapped to exactly one project and service owner.
Keys have expiry and rotation cadence.
Revocation process is documented and tested.

Observability and Usage MonitoringUse Logs, Usage, and Audit to manage reliability and spend

Why this guide matters
Project design recommendations
API key lifecycle
Create
Store
Rotate
Revoke
Common workflows
Validation checklist