API keys are, generally speaking, hash values submitted in the authorization header of web service requests to identify the source of that request. They act as access control to grant, deny or limit an application’s access to the related data or service, as well as protect the data from tampering.
However, this all-or-nothing approach to data access has its limitations, which is why Auth0’s Damian Schenkelman published this tutorial on using JSON Web Tokens (JWTs) as API keys. JWTs have the benefits of more granular security, allowing admins to assign specific permissions on the database. JWTs also offer a single token format across the board and the ability to put tokens on a mobile device, all with OAuth2 compliance.
This tutorial uses GitHub’s implementation of scopes within a token as an example of how to provide more control. The API endpoint implemented here is for creating new repos. With the correct scopes provided, the endpoint simply checks for the presence of the relevant scope attribute using the check_scopes middleware on the /api/user/repo route.
This example is written in node.js, but any language will work. Followers are encouraged to properly document the API, with Auth0 relying on API framework Swagger for interactive documentation. The author also provides a link to a working example of this backend implementation with their API v2.