Product Thumbnail

KeyHippo [LW24]

Add API key auth to Postgres Row Level Security (RLS) policy

API
Developer Tools
GitHub
Database

https://launchweek.dev/lw/MEGA KeyHippo is a Postgres extension that lets you issue API keys directly from SQL and validate them in RLS policy in parallel with your existing session-token flow (e.g. Supabase Auth).

Top comment

Hey Product Hunt! 👋 I'm David, founder of Integrated Reasoning. Today we're launching an open-source Postgres extension called KeyHippo! Integrated Reasoning started out as a hardware company, developing accelerators for optimization problems like the traveling salesman problem. In our search for product-market-fit we started launching SaaS products. After shipping a few projects built on Supabase, we accumulated a solid internal repository of SaaS code. One thing that was missing from this was a good solution to issuing API keys that work nicely with Supabase Auth and Postgres RLS. There are a handful of GitHub issues related to this problem, but Felix Zedén Yverås (FelixZY) puts it best: > Support API key generation (Supabase #12328) > > Please support generating user-tied API keys via supabase-js/GoTrue > I'm developing an open API. Users can sign into a web portal and generate API tokens to be used when communicating with the API. Users can generate multiple tokens, e.g. if they want to use different keys for Android and iOS client applications and track their usage separately. > > Currently, I can find no good way of generating such tokens/API keys without exposing secrets or breaking RLS. KeyHippo solves this problem well. We use it every day internally and it's use in production by Autarc (YC S24). By launching on Product Hunt we hope to: 1) Help other developers who face the problems that KeyHippo solves 2) Grow KeyHippo's developer community (thanks @tomasfrancisco for our first community PR!) I'll be launching a new feature every day this week as part of Mega Launch Week 2024 and will be around to answer any questions.

Comment highlights

Congrats on the launch, @keyhippo! This looks like a game-changer for Postgres security. How do you see this impacting the developer experience compared to other methods of managing API keys?