Solana API Key Manager

Replace PostgreSQL + Redis with verifiable on-chain accounts. Same API key patterns, trustless enforcement.

10 Instructions 72 Tests Passing 1,280-line SDK 13 CLI Commands $2.25/mo vs $1,000+
10
On-chain Instructions
72
Tests Passing
0
Dependencies (program)
$0.002
Cost per Key
FREE
Validation Reads

Web2 vs On-Chain Architecture

Traditional Backend

DB
PostgreSQL — keys, permissions, metadata
$
Redis — rate counters, sliding windows
MW
API Gateway — auth middleware
UI
Admin Dashboard — CRUD operations
!
Trust: "we promise not to change your limits"

Solana Program

PDA
ServiceConfig PDA — owner, limits, counters
PDA
ApiKey PDAs — hash-indexed, O(1) lookup
SIM
RPC Simulation — free validation reads
CLI
TypeScript SDK + CLI — full CRUD
V
Trust: verify on-chain, immutable audit trail

Trust Model Comparison

PropertyWeb2On-Chain
Key StorageOperator's databasePublic blockchain (hash only)
Permission ChangesSilent DB updateSigned transaction, publicly visible
Rate Limit EnforcementTrust the operatorVerified by program logic
Usage DataMutable application logsImmutable on-chain counter
RevocationCan be silentTransaction on public ledger
Audit TrailInternal, mutable, deletableOn-chain, immutable, permanent
Rule ChangesDeploy new code silentlyProgram upgrades visible on-chain

Interactive Demo

READ
WRITE
DEL
ADMIN
Bitmask: 0b0011 = 3
// Click "Create API Key" to simulate key creation // // This mirrors the Solana program's create_key instruction. // The raw key is shown ONCE, then only the SHA-256 hash // is stored on-chain (just like Stripe, OpenAI, etc.) // // On-chain cost: ~0.002 SOL (account rent) // That's about $0.30 — one-time, reclaimable.

Validation uses simulateTransaction — it's completely free. No signature needed, no gas cost. The program checks: key exists, not revoked, not expired.

// Enter an API key and click Validate // // In production, your backend does: // 1. Hash the key: SHA256("sk_live_abc123...") // 2. Derive PDA: seeds = [b"apikey", service, hash] // 3. Call simulateTransaction (FREE, no signer needed) // 4. Program returns: valid/invalid + metadata // // This replaces a PostgreSQL lookup + Redis check // Cost: $0 (vs ~$0.0001/query for RDS + ElastiCache)
READ
WRITE
DEL
ADMIN
// Bitwise permission check — O(1), single AND operation // // key.permissions & required == required // // Same pattern as Unix file permissions and most SaaS APIs. // u16 bitmask = 2 bytes for all permissions. // // On-chain check is FREE via RPC simulation. // Click the bits above and select a required permission.
// Rate limiting simulation // // Each record_usage instruction: // 1. Checks window_start + rate_limit_window > now // 2. If new window: resets counter, updates window_start // 3. Checks window_usage < rate_limit // 4. Increments window_usage and total_usage // // Cost: ~$0.000005 per usage record (one Solana tx) // Web2 equivalent: Redis INCR with TTL // // The key difference: usage counters are ON-CHAIN. // The operator cannot silently reset or inflate them.
  • sk_live_7f3a...c291
    production-backend • READ, WRITE • 847/1000 used
    Active
  • sk_live_e8b2...4d09
    mobile-client • READ • 12,483 total
    Active
  • sk_live_1a9f...8b3e
    old-frontend • READ, WRITE, DELETE • Revoked 2h ago
    Revoked
  • sk_live_d4c7...2f5a
    temp-access • ADMIN • Expired 3d ago
    Expired

10 On-Chain Instructions

#1

initialize_service

POST /services
~0.003 SOL (rent)
Anyone
#2

update_service

PATCH /services/:id
~0.000005 SOL
Owner only
#3

create_key

POST /keys
~0.002 SOL (rent)
Owner only
#4

validate_key

GET /keys/:hash/validate
FREE (RPC sim)
Anyone
#5

check_permission

Authorization middleware
FREE (RPC sim)
Anyone
#6

record_usage

Rate limit middleware
~0.000005 SOL
Owner only
#7

update_key

PATCH /keys/:hash
~0.000005 SOL
Owner only
#8

rotate_key

POST /keys/:hash/rotate
~0.002 SOL (net)
Owner only
#9

revoke_key

DELETE /keys/:hash (soft)
~0.000005 SOL
Owner only
#10

close_key

DELETE /keys/:hash (hard)
Reclaims ~0.002 SOL
Owner only

Cost Comparison

Traditional Stack (AWS)

$1,044
per month (1,000 keys, 1M validations)
RDS t3.micro: $15 | ElastiCache: $13
ALB: $16 | ECS Fargate: $1,000
+ CloudWatch, S3, backups

Solana On-Chain

$2.25
per month (1,000 keys, 1M validations)
Key creation: $2.00 (rent, reclaimable)
Usage records: $0.25 (50K writes)
Validation: FREE (RPC simulation)

Cost Reduction

464x
cheaper than AWS equivalent
$1,044/mo → $2.25/mo
Rent is reclaimable on close
Reads are always free
$12,501

Annual savings for a typical SaaS operation with 1,000 API keys

CLI Preview

$ npx ts-node src/cli.ts create-service --name "My SaaS API" --max-keys 100 --rate-limit 1000 Service initialized! PDA: 8Kag...3nVB Owner: GpXH...YvH Max keys: 100 Default rate limit: 1000/hour $ npx ts-node src/cli.ts create-key --label "production" --permissions "READ|WRITE" --rate-limit 5000 API Key created! Key: sk_live_7f3a8b2c...c291e4d0 (SAVE THIS — shown once only) Label: production Permissions: READ | WRITE (0b0011) Rate limit: 5000/hour PDA: 4mXz...9kLp $ npx ts-node src/cli.ts validate-key --key sk_live_7f3a8b2c...c291e4d0 Key is VALID Label: production Status: Active Permissions: READ | WRITE Usage: 0 / 5000 (this window) Cost: FREE (RPC simulation) $ npx ts-node src/cli.ts check-permission --key sk_live_7f3a...c291 --permission WRITE AUTHORIZED — Key has WRITE permission Key permissions: 0b0011 (READ | WRITE) Required: 0b0010 (WRITE) Check: 0b0011 & 0b0010 == 0b0010 ✓ $ npx ts-node src/cli.ts list-keys # Label Permissions Usage Status 1 production READ,WRITE 847 Active 2 mobile-client READ 12,483 Active 3 old-frontend READ,WRITE,DEL - Revoked 4 temp-access ADMIN - Expired $ npx ts-node src/cli.ts rotate-key --key sk_live_7f3a...c291 Key rotated! Old key revoked + closed (rent reclaimed) New key: sk_live_b9e1...a4f7 (SAVE THIS) All settings preserved (permissions, rate limits, label) $ npx ts-node src/cli.ts export --pretty | head -20 { "service": { "name": "My SaaS API", "maxKeys": 100, "activeKeys": 3 }, "keys": [ { "label": "production", "permissions": 3, "status": "active", "usage": 847 }, ... ] }

Live Devnet Explorer

Real-time data from the deployed program on Solana devnet

Program Status

Connecting to devnet...

Service Config (PDA)

Fetching account...

Recent Transactions

Loading transactions...
View on Solana Explorer