API key handling
Date: 2026-01-12
Status: accepted
Context
We want to protect our API with an API key to prevent unauthorized access, while keeping the initial setup simple and low-effort.
Decision
We will use AWS Secrets Manager to store an array of valid API keys.
- The secret is created and managed via CDK.
- Read access to the secret is granted to the application Lambda.
- Adding or rotating keys is a manual step, which we accept as a trade-off for a minimal setup.
Consequences
This approach provides basic protection against external access with minimal operational overhead. However, it does not scale well for more complex requirements (for example, self-service key management, per-consumer keys, key metadata, or automated rotation). If broader access management becomes necessary, we will need to replace this with a more flexible solution.