ApiShare 1.9: the key management your API ecosystem was missing

In the API world, authentication keys are the gateway to systems, data, and critical services. And like any gateway, they need to be carefully monitored, regularly updated, and managed with structure. But for those working with complex APIs and distributed environments, reality often looks quite different: forgotten keys, uncontrolled reuse, manual revocations, missed expirations… and unexpected service disruptions.

With the 1.9 release, ApiShare introduces a long-awaited and essential capability: advanced authentication key management (Key Set Management). This isn’t just about adding more control — it’s a complete transformation in how keys are created, assigned, rotated, expired, and revoked, all within a platform built to enable true enterprise-grade API governance.

The new feature brings tangible benefits to all roles involved in the API lifecycle:

• Developers seeking uninterrupted access and less manual overhead

• Security and DevOps teams that must enforce consistent policies and ensure compliance

• IT Managers looking for tools to automate and simplify operations

With Key Set Management, security becomes automated, rotations become predictable, and revocations are no longer a race against time. All of this while maintaining the flexibility to adapt to different environments, diverse APIs, and multiple authentication models.

In this article, we explore in detail what’s new in release 1.9, how the new key management system works, and why it represents a decisive step for anyone aiming to build a scalable, secure, and governable API infrastructure

Key Set Management: what the new feature introduces

ApiShare’s new Key Set Management functionality is much more than just a control module — it’s a complete platform for managing the entire lifecycle of authentication keys, combining automation, transparency, and security.

A unified view of key management

The starting point is the Workspace > Keys section, where each user can access the complete list of keys associated with their organization. The new interface allows users to:

• Quickly view the status of each Key Set (Pending, Active, Suspended, Revoked, Expired)

• Filter and search keys by authentication type, environment, status, expiration date, associated APIs, and more

• Access a detailed view of each Key Set, which displays: Credential value (where permitted), Applied policy, Linked APIs and Lifecycle events, both scheduled and completed 

At a glance, users gain full visibility into what’s active, what’s about to expire, what’s suspended or revoked — without the need to cross-reference different environments or external tools.

Lifecycle under control (for real)

Each key follows a structured lifecycle defined by the policy it is associated with:

• Automatic creation upon API subscription

• Smart reuse of existing keys when compatible by policy, environment, and application

• Scheduled rotation (with the option of a grace period where two keys coexist)

• Automatic expiration at the end of the defined validity period 

• Manual revocation or suspension (with the possibility of reactivation)

• Manual regeneration in case of emergencies or key compromise

Each stage is tracked in the event timeline, with scheduled and actual dates, automated notifications, and action options based on user permissions. 
No more spreadsheets to check “when does that key expire?” — everything is under control.

Policy-Based Automation: the real power behind the scenes

At the heart of the new Key Set Management is a highly flexible Policy Template engine. Administrators can define templates that govern:

• The type of authentication (API Key, OAuth, etc.)

• The rotation frequency

• The validity period

• Permissions for manual regeneration

• The maximum number of simultaneous valid keys

• Applicability based on environment, API tags, and categories

Each Key Set inherits the policy of its API at the time of subscription. 
This enables centralized automation of key management while maintaining fine-grained control per environment, per API, and per authentication model.

Rotation, Expiration, and Regeneration: Clear, Secure, and Automated Flows

With the 1.9 release, ApiShare introduces automated and controlled lifecycle management for authentication keys, addressing one of the most critical aspects of API ecosystems: ensuring continuous access in high-security environments. Let's break down the three main flows.

Automatic Rotation: Security Without Downtime

Automatic rotation is one of the most effective tools to mitigate long-term key compromise risks. With ApiShare:

• Keys are rotated automatically based on the frequency set in the associated policy 

• New key is generated before the current one expires, with both remaining valid during a grace period

• At any time, a maximum of two active keys per Key Set is allowed, as defined by security policy

• The new key inherits the same policies as the previous one

The result: no downtime, no frantic updates to integrated systems. Everything happens in the background, with full visibility via the milestone timeline showing both scheduled and actual rotation dates. 

Automatic Expiration: Secure and Traceable End-of-Life

While rotation is the handoff moment, expiration is the final step: a key cannot be used beyond its validity.

• Each Key Set can be configured to expire automatically after a set period

• The expiration date is calculated when the key is created

• This is also tracked in the timeline

• If expiration and rotation are scheduled for the same day, rotation takes priority and must complete first

ApiShare sends automatic alerts to warn users of upcoming expiration, reducing service interruption risks.

Manual Regeneration: The Ready Response to the Unexpected

Sometimes, automatic rotation isn’t enough. Example? A key has been exposed by mistake or is suspected to be compromised. Enter manual regeneration.

• Available only if enabled by policy

• Users can manually regenerate a key through the interface

• The previous key is immediately revoked, and the new one activated (either in active or suspended state, depending on context)

• As always, the policy defines if and how regeneration is allowed

This feature is especially useful for ensuring business continuity in sensitive environments without losing centralized control.

Notifications and Alerts: No More Surprises

ApiShare supports a configurable notification system to keep users informed of critical events: 

• Upcoming expiration alerts

• Rotation in progress warnings

• Suspension or revocation notices

Each user can configure preferences under Admin > Notifications by selecting which event types to monitor.

Centralized Governance, Distributed Operations

One of the strengths of the new feature is the clear separation between who defines the rules and who executes them, enabling safe governance without blocking operational agility.

Policy Templates: The Heart of Control

ApiShare administrators can create and edit Policy Templates that define key behavior:

• Key validity duration (e.g., 30 days, 3 months)

• Automatic rotation frequency

• Manual regeneration permission

• Maximum number of simultaneously active keys (max 2)

• Conditional rules based on API tags and categories

Each policy is dynamically associated with APIs during subscription, following configurable rules suited to complex organizations with multiple environments, distributed teams, and varying needs.

Environment- and Authentication-Aware Management

Key management logic adapts to specific usage contexts:

• The same API in different environments generates separate Key Sets

• APIs in the same environment but with different policies also generate separate keys

• Differentiation is fine-grained: by environment, API, authentication type, and policy template

This architecture enables granular control while maintaining centralized visibility.

Permission Control and Operational Security

All operations are subject to role-based permissions (admin, developer, integrator). Only authorized users can:

• Suspend, revoke, or reactivate keys

• Manually regenerate a Key Set

• View or export credentials

This ensures secure handling even in daily operations, without slowing down development.

Why This Feature Makes a Difference

Anyone who has managed an API ecosystem knows: authentication keys are both a technical and organizational responsibility. The new Key Set Management tackles this head-on, offering a system designed to be secure, scalable, and reliable.

Here’s why it’s a game-changer:

Less Risk, More Security

• Forgotten or unrecalled keys are eliminated

• Automatic expiration and continuous rotation

• Reduced risk of unauthorized access

More Control, Less Manual Work

• Full visibility into key status

• Always up-to-date event timelines

• Automatic notifications for every critical event

Guaranteed Operational Continuity

• No interruptions during rotations or expirations

• Grace period for old and new keys to coexist

• Instant manual regeneration if needed

Governance for Complex Ecosystems 

• Policies tailored by environment, API, and category

• Intelligent key reuse when compatible

• Advanced management across multi-team, multi-cloud setups

In short, with ApiShare 1.9, key management is no longer a weak point — it's a strength. 

More control. Less friction. That's how you scale.

In a world where APIs are increasingly interconnected, complex, and strategic, security is not optional. With ApiShare 1.9, key management becomes fluid, automated, and intelligent — embedded in the platform and designed for real-life API operations. 

This isn’t just a new feature.

It’s a new mindset: security by design, governance by default.