MuseMVP
MuseMVP Docs

API Token

Create, view, test, and revoke API Keys in the settings center for programmatic access.

MuseMVP uses the Better Auth API Key plugin to provide full API Token management. Logged-in users can create, view, test, and revoke API Keys on the Settings → API Keys page (/app/settings/tokens) for programmatic access to protected APIs.

Access

Path: /app/settings/tokens. Requires login; unauthenticated users are redirected to the login page.

Overview

Create API Key

Custom name, expiry, prefix, and metadata. Full key is shown only once after creation.

View & Manage

List all keys with summary info; rename, renew, or revoke.

Online Test

Built-in test panel to verify key validity and remaining quota.

Secure Storage

Keys stored as hashes; full value shown only at creation, not recoverable later.

Page & Routes

PathDescription
/app/settings/tokensAPI Token management page (login required)
src/app/(saas-page)/app/(account)/settings/tokens/page.tsx
src/modules/settings/components/api-keys/ApiKeyManager.tsx
src/modules/settings/lib/api-keys.ts
src/modules/settings/lib/api-keys.server.ts

Core Features

Create API Key

Configurable options:

ParameterDescription
nameOptional, human-readable label
expiresInOptional, expiry in seconds
prefixOptional, key prefix for identification
metadataOptional, custom metadata

Key Shown Once

The full key is displayed only once after creation. Save it securely; it cannot be retrieved later.

Verify API Key

Use POST /api/api-keys/verify to validate a key:

// Request body
{ "key": "your-api-key-string" }

// Response (valid)
{
  "valid": true,
  "key": { "id", "name", "userId", "remaining", "expiresAt", ... },
  "error": null
}

// Response (invalid)
{
  "valid": false,
  "key": null,
  "error": { "code": "KEY_NOT_FOUND", "message": "..." }
}

This endpoint is protected by authMiddleware and requires a valid session cookie. Verification ensures the key belongs to the current user.

Implementation

Data Flow

Frontend: ApiKeyManager uses useApiKeysQuery to fetch keys from Better Auth.

Create/Update/Delete: Via authClient.apiKey.create/update/delete.

Verify: POST /api/api-keys/verify calls auth.api.verifyApiKey and checks userId ownership.

API Endpoints

MethodPathDescription
POST/api/api-keys/verifyVerify API Key (login required)

Better Auth Native APIs

Create, list, update, delete are provided by Better Auth's apiKey plugin via authClient.apiKey.*.

Using in Business APIs

To validate API Keys in custom Hono routes, use Better Auth's verifyApiKey or call auth.api.verifyApiKey with the key from the request header. After validation, use the returned userId for subsequent business logic.

Permission Architecture

Auth entry and role middleware

API Architecture

Hono routes and OpenAPI

S3 Object Storage

Guide to Cloudflare R2/S3 CORS, credential variables, signed upload URLs, and avatar proxy access configuration.

SEO

Best practices and implementation guidance for optimizing your application for search engines.

On this page

Overview
Page & Routes
Core Features
Create API Key
Verify API Key
Implementation
Data Flow
API Endpoints
Using in Business APIs
Related Docs

Get $30 off with code
XHS30OFF

Get MuseMVP