CLI tool for API key and JWT lifecycle management — generate, store, verify, rotate, and revoke keys with an encrypted local keystore.
⭐ Star this repo if you manage API credentials — it helps other devs find APIAuth!
pip install apiauth
# Generate an API key
apiauth generate api-key --name "My API Key" --service "api-gateway" --expiry-days 90
# List all keys with expiry status
apiauth list
# Export for CI/CD
apiauth export --format github-actions- Generate API keys and JWTs with a single command
- Import existing API keys into the encrypted keystore
- Verify API keys against stored hashes — check revocation and expiry
- Rotate keys and tokens safely — previous values are hashed out
- Revoke compromised keys instantly
- List & search keys by service with expiry status indicators
- Export as environment variables, dotenv, JSON, or GitHub Actions format
- Audit keystore for expired, expiring, and revoked keys
- Encrypted local keystore — AES-256-GCM, master key stored in
~/.apiauth/ - CI/CD integration — export keys for GitHub Actions, GitLab CI, etc.
Generate a new API key or JWT.
apiauth generate api-key --name "My API Key" --service "api-gateway" --expiry-days 90
apiauth generate jwt --name "My JWT" --service "auth-service" --expiry-days 30 --claim role=adminList all stored keys with expiry status.
apiauth list
apiauth list --service "api-gateway"
apiauth list --json-outputShow details for a specific key.
apiauth show <key-id>Verify an API key against stored hashes.
apiauth verify ak_xYz123abc...Import an existing key into the keystore.
apiauth import ak_existing_key_value --name "Legacy Key" --service "api"Rotate a key and hash out the previous value.
apiauth rotate <key-id>Revoke a key instantly.
apiauth revoke <key-id>Export keys for external consumption.
apiauth export --format env --service "api-gateway"
apiauth export --format dotenv
apiauth export --format github-actions
apiauth export --format jsonAudit keystore health.
apiauth auditView keystore statistics.
apiauth stats| Format | Use Case |
|---|---|
env |
Shell source scripts (export KEY=value) |
dotenv |
.env files (no export prefix) |
github-actions |
$GITHUB_ENV and workflow YAML |
json |
Programmatic consumption |
- Master key never leaves
~/.apiauth/master.key - Key store is encrypted with AES-256-GCM
- Plaintext keys are only displayed once on creation
- Rotated keys have their previous values hashed
- Imported keys are stored as SHA-256 hashes only
verifycommand checks against stored hashes — no plaintext stored
APIAuth is one of eleven tools in the Revenue Holdings suite. One license covers all CLI tools.
| Plan | Price | Best For |
|---|---|---|
| Free | $0 | Individual devs, OSS — CLI only, 5 keys |
| APIAuth Individual | $12/mo ($10 billed annually) | Professional devs — unlimited keys, all export formats |
| Suite (all 11 tools) | $49/mo ($39 billed annually) | Full Revenue Holdings toolkit — 40% savings |
| Team | $79/mo ($63 billed annually) | Up to 5 devs — shared keystore, team dashboard, alerts |
| Enterprise | Custom | SSO, RBAC, compliance reports, dedicated support |
🔹 No lock-in: CLI works fully offline on the free tier — no telemetry, no phone-home. 🔹 Annual billing: Save 20%.
| Feature | Free | Individual | Suite | Team | Enterprise |
|---|---|---|---|---|---|
| CLI: generate, verify, export | ✓ | ✓ | ✓ | ✓ | ✓ |
| Unlimited keys | 5 keys | ✓ | ✓ | ✓ | ✓ |
| All export formats | env only |
✓ | ✓ | ✓ | ✓ |
| JWT with custom claims | — | ✓ | ✓ | ✓ | ✓ |
| Audit & stats | — | ✓ | ✓ | ✓ | ✓ |
| Shared team keystore | — | — | — | ✓ | ✓ |
| Dashboard & analytics | — | — | — | ✓ | ✓ |
| Compliance reports | — | — | — | — | ✓ |
| RBAC / SSO / SAML / OIDC | — | — | — | — | ✓ |
| Priority support | Community | 24h | 24h | 8h | Dedicated |
Part of Revenue Holdings — CLI tools built by autonomous AI.
Keys and configuration are stored in ~/.apiauth/:
~/.apiauth/master.key— AES-256-GCM master key (never shared)~/.apiauth/keystore.enc— encrypted key-value store~/.apiauth/config.yaml— user configuration
# In your deployment pipeline
export $(apiauth export --format env --service production)
# Audit before release
apiauth audit --exit-on-expired- Vault-backed remote keystore (HashiCorp Vault, AWS Secrets Manager)
- Auto-expiry notifications via CLI or webhook
- GPG key support
- MCP server for AI-assisted key management
- Web UI for team keystore management
- Terraform provider for secret provisioning
MIT — see LICENSE
Part of Revenue Holdings — a suite of 11 developer CLI tools built by autonomous AI agents. Also check out API Contract Guardian (breaking change detection), DeployDiff (infrastructure diffs), json2sql (JSON → SQL), ConfigDrift (config drift detection), DeadCode (dead code cleanup), APIGhost (mock API server), Envault (env sync), SchemaForge (ORM converter), and click-to-mcp (CLI → MCP server).