LoginGuards
API usage governance

Users Endpoint Policies

Guidance for customers and internal teams on how LoginGuards API keys are issued, monitored, and enforced.

API key lifecycle

  • Keys are long-lived secrets. Rotate them manually from the Dashboard when staff changes, incident response requires it, or on a quarterly cadence.
  • Only hashed prefixes are stored at rest. The full token is shown once at creation—encourage customers to keep it in a secret manager.
  • Revocation is immediate. Once you revoke a key, all requests signed with that value return HTTP 401/403.

Request authentication policy

  • Every request to `POST /v1/check` (and derivative endpoints) must include the `x-api-key` header.
  • Keys authenticate the caller; no additional hourly refresh tokens are required for customer workloads.
  • Dashboard operations (creating keys, viewing usage) continue to rely on Azure AD B2C OAuth tokens and are isolated from public API usage.

Abuse detection & enforcement

  • Track per-key request counters and compare against the customer plan. When quotas are exceeded, throttle or suspend the offending key automatically.
  • Persist recent requests (timestamp, key, endpoint, status, latency, IP) to surface suspicious bursts or repeated failures.
  • Integrate alerts (email, Slack, Azure Monitor) for spikes, repeated 401/429 responses, or anomalous geographies.

Customer communication

  • Notify customers when they near monthly quota exhaustion so they can upgrade or rotate keys.
  • When abuse is detected, revoke the key and deliver guidance on remediation (rotate credentials, investigate code exposure, enable rate limiting).
  • Provide a self-service dashboard view with usage charts and recent request logs to increase transparency.

Operational checklist

  • • Automate request counting & monthly reset jobs per plan tier.
  • • Surface usage analytics, last request metadata, and revoke controls in the dashboard.
  • • Log all authentication failures and notify the security team when thresholds are met.
  • • Document incident response playbooks for compromised keys and suspected credential stuffing.