API keys: Length and complexity

tpanza · July 14, 2025, 3:32pm

Description

Looking to understand API keys and any requirements around them. The Weaviate Docs AI was not able to answer and recommended I reach out, so here I am.

Are there minimum and maximum lengths of API keys?

What types of characters are allowed and disallowed within API keys? I assume, at a minimum, upper case letters, lower case letters, and numbers are permitted.

Server Setup Information

Weaviate Server Version: 1.31.4
Deployment Method: k8s, self-hosted
Multi Node? Number of Running Nodes: 1
Client Language and Version: Python v4
Multitenancy?: no

Any additional Information

DudaNogueira · July 14, 2025, 8:57pm

hi @tpanza !!

I have used Deepwiki to help me analyze our codebase regarding this question and this is what I got:

API Key Length Constraints

Weaviate has different length requirements depending on the API key type:

Dynamic API Keys (Generated by Weaviate)

Dynamic API keys have fixed length components defined in the key generation system key_generation.go:23-29 :

Random key component: 32 bytes (44 characters when Base64 encoded)
User identifier component: 12 bytes (16 characters when Base64 encoded)
Version identifier: 4 characters (v200)

The complete dynamic API key structure is {userIdentifier}_{randomKey}_{version}, then Base64 encoded again key_generation.go:75-78 . This results in a predictable total length.

Static API Keys (User-Configured)

For static API keys configured via environment variables, the validation only enforces that keys cannot have zero length client.go:60-64 . There’s no explicit maximum length constraint in the static key validation.

API Key Display Length

When displaying API key information to users, only the first 3 characters are shown d_b_user_info.go:38-40 and schema.json:86-93 , with validation ensuring this field doesn’t exceed 3 characters db_users.go:176-178 .

Character Types Allowed

Dynamic API Keys

Dynamic API keys use Base64 encoding, which includes:

Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Plus sign (+)
Forward slash (/)

The key generation process creates random bytes and encodes them using Go’s standard Base64 encoding key_generation.go:60-61 and key_generation.go:66-67 .

Static API Keys

Static API keys have no explicit character restrictions in the validation logic - they can contain any characters as long as the length is greater than zero client.go:60-64 .

Notes

The API key validation system distinguishes between static keys (configured via environment) and dynamic keys (generated by Weaviate’s internal system). Dynamic keys follow a strict format with Base64 encoding, while static keys are more flexible but still require non-zero length. The system also includes collision detection for dynamic key generation to ensure uniqueness handlers_db_users.go:428-447 .

Let me know if this helps!

Thanks!

Topic		Replies	Views
OpenAI API Key Leaked Support	3	998	February 16, 2025
Tip: Maximum vector length in Weaviate Resources	1	1392	June 15, 2023
AUTHENTICATION_APIKEY_ENABLED: 'true' throwing oidc auth not configured error General	8	1675	May 10, 2024
Meta endpoint! Unexpected status code: 401, with response body: {'code': 401, 'message': 'anonymous access not enabled, please provide an auth scheme such as OIDC'} Support	6	1168	March 15, 2025
Weird openaikey reference error I've never seen before (and can't find online) Support	3	434	January 22, 2025