Reference

Prerequisite You should have installed the KeyHippo extension in your Supabase PostgreSQL database.

Installation

Install the KeyHippo extension in your Supabase database:

SELECT dbdev.install('keyhippo@keyhippo');
CREATE EXTENSION "keyhippo@keyhippo" VERSION '0.0.33';

Replace ‘0.0.33’ with the latest version number if a newer version is available.

Schemas

KeyHippo creates and uses the following schemas:

keyhippo: Main schema for KeyHippo functions and tables
keyhippo_internal: Internal schema for KeyHippo helper functions

Functions

FUNCTION keyhippo.create_api_key(id_of_user TEXT, key_description TEXT) RETURNS TEXT

Creates a new API key for the specified user.

id_of_user: TEXT - The UUID of the user as text
key_description: TEXT - A description for the new API key

Returns the generated API key as TEXT.

FUNCTION keyhippo.revoke_api_key(id_of_user TEXT, secret_id TEXT) RETURNS VOID

Revokes the specified API key.

id_of_user: TEXT - The UUID of the user as text
secret_id: TEXT - The UUID of the API key to revoke as text

FUNCTION keyhippo.get_api_key_metadata(id_of_user UUID) RETURNS TABLE (
  api_key_id UUID,
  name TEXT,
  permission TEXT,
  last_used TIMESTAMPTZ,
  created TIMESTAMPTZ,
  total_uses BIGINT,
  success_rate DOUBLE PRECISION,
  total_cost DOUBLE PRECISION,
  revoked TIMESTAMPTZ
)

Retrieves metadata for all API keys associated with the specified user.

id_of_user: UUID - The UUID of the user

Returns a table with detailed information about each API key.

FUNCTION auth.keyhippo_check(owner_id UUID) RETURNS BOOLEAN

Checks if the current request is authenticated with a valid API key for the given user ID.

owner_id: UUID - The UUID of the user to check against

Returns TRUE if the request is authenticated with a valid API key, FALSE otherwise.

Tables

KeyHippo creates and manages several tables to store API key information:

keyhippo.user_ids: Stores user IDs
keyhippo.api_key_id_owner_id: Maps API key IDs to owner IDs
keyhippo.api_key_id_name: Stores API key names/descriptions
keyhippo.api_key_id_permission: Stores permissions for each API key
keyhippo.api_key_id_created: Stores creation timestamps for API keys
keyhippo.api_key_id_last_used: Tracks the last usage of each API key
keyhippo.api_key_id_total_use: Counts total uses of each API key
keyhippo.api_key_id_success_rate: Tracks success rates of API key usage
keyhippo.api_key_id_total_cost: Tracks total cost associated with each API key
keyhippo.api_key_id_revoked: Stores revocation information for API keys

These tables are managed by KeyHippo. Direct manipulation of these tables is not recommended.

RLS Policies

KeyHippo automatically sets up Row Level Security (RLS) policies on its tables. Here’s an example of how to create a custom RLS policy that incorporates KeyHippo authentication:

CREATE POLICY "users_read_own_data"
ON public.user_data
FOR SELECT
USING (
  auth.uid() = user_id
  OR auth.keyhippo_check(user_id)
);

This policy allows users to read their own data when authenticated either through a session token (auth.uid()) or a valid API key (auth.keyhippo_check()).

Vault Integration

KeyHippo uses Supabase Vault for storing sensitive information. The following secrets are automatically set up:

project_api_key_secret: Used for API key hashing
project_jwt_secret: Used for JWT signing in API key generation

These secrets are managed automatically by KeyHippo. Manual modification is not recommended.

Troubleshooting

Here are solutions to common issues when working with the KeyHippo extension:

For more detailed troubleshooting, refer to the KeyHippo GitHub repository or consult the full documentation.

Get Started

TypeScript Client

SQL Extension

Learn

Installation

Schemas

Functions

Tables

RLS Policies

Vault Integration

Troubleshooting

Get Started

TypeScript Client

SQL Extension

Learn

​Installation

​Schemas

​Functions

​Tables

​RLS Policies

​Vault Integration

​Troubleshooting

Installation

Schemas

Functions

Tables

RLS Policies

Vault Integration

Troubleshooting