Keysmith

Forge Integration

Using Keysmith with the Forge framework.

Keysmith ships with a Forge extension adapter that handles DI registration, REST API route mounting, and database migration on startup.

Mounting the extension

import (
    "github.com/xraph/forge"
    "github.com/xraph/keysmith"
    "github.com/xraph/keysmith/extension"
    "github.com/xraph/keysmith/store/postgres"
    audithook "github.com/xraph/keysmith/audit_hook"
)

app := forge.New(
    forge.WithExtension(
        extension.New(
            extension.WithEngineOptions(
                keysmith.WithStore(pgStore),
            ),
            extension.WithHookExtension(audithook.New(recorder)),
        ),
    ),
)

What the extension does

On registration

  1. Registers keysmith.Engine in the Forge DI container via vessel.Provide
  2. Registers the API route handler

On start

  1. Runs database migrations if a PostgreSQL store is configured
  2. Starts any background processes (e.g., expired key cleanup)

On stop

  1. Fires the Shutdown plugin hook
  2. Closes the store connection

REST API routes

When mounted, the extension exposes the full Keysmith REST API:

MethodPathDescription
POST/v1/keysCreate API key
GET/v1/keysList API keys
GET/v1/keys/:keyIdGet API key
DELETE/v1/keys/:keyIdDelete API key
POST/v1/keys/:keyId/rotateRotate API key
POST/v1/keys/:keyId/revokeRevoke API key
POST/v1/keys/:keyId/suspendSuspend API key
POST/v1/keys/:keyId/reactivateReactivate API key
POST/v1/keys/validateValidate raw API key
POST/v1/policiesCreate policy
GET/v1/policiesList policies
GET/v1/policies/:policyIdGet policy
PUT/v1/policies/:policyIdUpdate policy
DELETE/v1/policies/:policyIdDelete policy
POST/v1/scopesCreate scope
GET/v1/scopesList scopes
DELETE/v1/scopes/:scopeIdDelete scope
POST/v1/keys/:keyId/scopesAssign scopes to key
DELETE/v1/keys/:keyId/scopesRemove scopes from key
GET/v1/keys/:keyId/usageGet key usage
GET/v1/keys/:keyId/usage/aggregateGet usage aggregation
GET/v1/usageList tenant usage
GET/v1/keys/:keyId/rotationsList key rotations

Automatic tenant scoping

When running inside Forge, Keysmith automatically extracts the app ID and tenant ID from forge.Scope. No manual WithTenant call is needed.

DI integration

Access the engine from the Forge DI container:

// In a Forge handler
func myHandler(ctx forge.Context) error {
    eng := vessel.MustResolve[*keysmith.Engine](ctx.Vessel())
    // use eng...
}

Extension options

OptionDescription
WithEngineOptions(...keysmith.Option)Engine configuration options
WithHookExtension(plugin.Plugin)Register a lifecycle plugin
WithConfig(Config)Override default extension configuration
WithLogger(*slog.Logger)Set the logger

On this page