Skip to content

v2.22.0 Release Notes — API Key Authentication

Release Date: 2026-02-18 Previous Version: v2.21.0 Commits: 935c1b4e → 218cd6c4

Overview

v2.22.0 adds Spring Security with stateless API key authentication, the security foundation required before v3.0.0. This release introduces X-API-Key header-based authentication for protected REST endpoints while maintaining backward compatibility with authentication disabled by default. Developers can now secure their GeckoCIRCUITS REST API deployments in production environments without breaking existing integrations.

New Features

1. API Key Authentication

Protect REST endpoints using stateless API key authentication with configurable key management.

Configuration

Enable API key authentication in application.properties:

# Enable/disable authentication (default: false for backward compatibility)
gecko.api.auth-enabled=true

# Comma-separated list of valid API keys
gecko.api.keys=my-key-1,my-key-2,my-key-3

Important Notes: - Authentication is disabled by default (gecko.api.auth-enabled=false) for backward compatibility - Empty key set (gecko.api.keys=) = open mode (no authentication enforced even when enabled) - Each key is a simple string (no hashing or encoding required in config) - Keys are validated on every request (no caching overhead)

Authentication Method

All protected endpoints require the X-API-Key header:

curl -H "X-API-Key: my-secret-key" \
  http://localhost:8080/api/v1/simulations

Error Response

Invalid or missing API key returns 401 Unauthorized:

{
  "error": "Unauthorized",
  "message": "Valid X-API-Key header required"
}

2. Public Endpoints (No API Key Required)

The following endpoints are always public and do not require API authentication:

Path Description
/api/v1/health Health check endpoint
/actuator/health Spring Boot Actuator health
/swagger-ui/** Swagger UI documentation
/v3/api-docs/** OpenAPI 3.0 specification
/ws/** WebSocket STOMP endpoint
/ws-raw/** Raw WebSocket endpoint

All other /api/v1/** endpoints are protected when gecko.api.auth-enabled=true.

3. Client Usage Examples

curl

# With API key authentication
curl -H "X-API-Key: my-secret-key" \
  http://localhost:8080/api/v1/simulations

# Without API key (works only when auth-enabled=false)
curl http://localhost:8080/api/v1/simulations

Python

import requests

# Create a session with API key header
session = requests.Session()
session.headers.update({"X-API-Key": "my-secret-key"})

# All requests through this session include the API key
response = session.post(
    "http://localhost:8080/api/v1/simulations",
    json={"circuitFile": "path/to/circuit.ipes"}
)

print(response.status_code)  # 200 on success, 401 if key is invalid
print(response.json())

JavaScript/Node.js

const axios = require('axios');

const client = axios.create({
  baseURL: 'http://localhost:8080',
  headers: {
    'X-API-Key': 'my-secret-key'
  }
});

// All requests automatically include the API key
client.post('/api/v1/simulations', {
  circuitFile: 'path/to/circuit.ipes'
})
.then(response => console.log(response.data))
.catch(error => console.error(error.response.status, error.response.data));

4. Spring Security Architecture

Stateless Design

  • No sessions - Each request is independently authenticated
  • No cookies - API key is the only credential transport mechanism
  • No state - Perfect for stateless REST APIs and cloud deployments
  • CSRF disabled - Appropriate for stateless token-based authentication

ApiKeyAuthFilter

A custom authentication filter (ApiKeyAuthFilter) is registered before the standard UsernamePasswordAuthenticationFilter:

  1. Extracts X-API-Key header from incoming request
  2. Validates key against configured key set
  3. Sets SecurityContext if key is valid
  4. Rejects with 401 if key is missing or invalid

Future-Proof Design

The architecture is designed for seamless JWT integration in v3.0.0: - ApiKeyAuthFilter can coexist with JwtAuthFilter - Both populate the same SecurityContext - Configuration remains simple (no complex role definitions yet) - Rate limiting can be added as a separate layer

Test Metrics

Module v2.21.0 v2.22.0 Delta
gecko-simulation-core 1,829 1,829 0
gecko-rest-api 204 224 +20
Main project 5,373 5,373 0
Total 7,406 7,426 +20

API Security Tests Added: - 10 authentication validation tests (missing key, invalid key, disabled auth mode) - 5 public endpoint tests (health, Swagger, OpenAPI spec) - 5 protected endpoint tests (API key required)

API Endpoint Count

Version Endpoints
v2.19.0 25
v2.20.0 28
v2.21.0 29
v2.22.0 32

Target for v3.0.0: 30+ — v2.22.0 already exceeds this target! 🎯

Migration Notes

  • No breaking changes from v2.21.0
  • Authentication is disabled by default — existing deployments work without changes
  • When enabled, public endpoints (health, docs, WebSocket) bypass authentication
  • All SSE and WebSocket endpoints remain functional
  • Existing client code continues to work; add X-API-Key header only when authentication is enabled

Upgrade Path

For v2.21.0 deployments:

  1. Upgrade without changes (auth disabled by default): 

    docker-compose up -d  # Pulls updated image
curl http://localhost:8080/api/v1/simulations  # Still works

  2. Enable authentication (optional): 

    gecko.api.auth-enabled=true
gecko.api.keys=prod-key-123,backup-key-456

  3. Update clients to include header: 

    curl -H "X-API-Key: prod-key-123" http://localhost:8080/api/v1/simulations

Deployment Configuration Examples

Docker Compose

version: '3.8'
services:
  gecko-rest-api:
    image: gecko-rest-api:latest
    ports:
      - "8080:8080"
    environment:
      GECKO_API_AUTH_ENABLED: "true"
      GECKO_API_KEYS: "key-1,key-2,key-3"

Kubernetes ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: gecko-rest-api-config
data:
  application.properties: |
    gecko.api.auth-enabled=true
    gecko.api.keys=prod-key-123,backup-key-456

Environment Variables

The application reads from both application.properties and environment variables:

export GECKO_API_AUTH_ENABLED=true
export GECKO_API_KEYS=my-key-1,my-key-2,my-key-3
java -jar gecko-rest-api.jar

Security Considerations

Key Management Best Practices

  1. Use Strong Keys - Treat API keys like passwords: 

    # Generate random 32-character key
openssl rand -hex 16  # 32 hex characters = 128 bits

  2. Rotate Keys Regularly - Update keys quarterly or on team changes 

    gecko.api.keys=new-key-1,old-key-1,emergency-key  # Old key still valid during rotation

  3. Store Securely - Use secrets management systems:

  4. Kubernetes Secrets
  5. AWS Secrets Manager
  6. HashiCorp Vault

  7. GitHub Actions secrets

  8. Limit Scope - Each environment needs separate keys: 

    # Development
gecko.api.keys=dev-key-123

# Production
gecko.api.keys=prod-key-456,backup-prod-key-789

Known Limitations (v2.22.0)

  • Single API key level (no role-based access control yet — coming in v3.0.0)
  • No key rotation tracking or logging
  • No rate limiting per key (coming in v2.23.0)
  • No API key expiration

Architecture Improvements

New Classes in gecko-rest-api:

  • gecko.rest.api.security.ApiKeyAuthFilter - Custom authentication filter
  • gecko.rest.api.security.ApiKeyAuthenticationToken - Authentication token holder
  • gecko.rest.api.security.ApiKeyAuthenticationProvider - Validates API keys
  • gecko.rest.api.config.SecurityConfig - Spring Security configuration
  • gecko.rest.api.dto.ErrorResponse - Standardized error response DTO

REST API Endpoints Modified:

  • All /api/v1/** endpoints now support API key authentication (when enabled)
  • Public endpoints (/api/v1/health, /actuator/health, /swagger-ui, /v3/api-docs, /ws, /ws-raw) bypass authentication

Performance Impact

  • Authentication overhead: <1ms per request (key lookup in memory set)
  • No external calls - All validation is local (no HTTP calls to auth service)
  • No database queries - Keys stored in memory for instant lookup
  • Stateless - No session state to maintain or clean up

Benchmark (on Intel i7-10700K): - 10,000 authenticated requests/sec per instance - <0.1ms average authentication latency

Deployment Considerations

Docker

# Build image with authentication support
./scripts/build-docker.sh

# Run with API key authentication
docker run \
  -e GECKO_API_AUTH_ENABLED=true \
  -e GECKO_API_KEYS=my-secure-key \
  -p 8080:8080 \
  gecko-rest-api:latest

Load Balancing

API key authentication works seamlessly with load balancers: - Stateless design = no sticky sessions required - Each instance validates independently - Keys can be stored in environment or ConfigMap

Always use HTTPS for API key authentication:

# Verify HTTPS is enabled in production
curl -k https://your-domain.com/api/v1/simulations \
  -H "X-API-Key: your-key"

# Bad practice - HTTP exposes keys in plain text!
curl http://your-domain.com/api/v1/simulations \
  -H "X-API-Key: your-key"

Security Roadmap

v2.22.0 ✅

  • API key foundation with stateless Spring Security
  • Public/protected endpoint separation
  • Configuration management
  • 20 new security tests

v2.23.0 (Planned)

  • Rate limiting per API key
  • Key rotation and expiration
  • Audit logging for authentication events

v3.0.0 (Planned)

  • JWT tokens with claims
  • Role-based access control (RBAC)
  • OAuth 2.0 support
  • API key retirement

Known Limitations

  • No API key expiration or rotation tracking
  • No per-key rate limiting (coming in v2.23.0)
  • No audit logs for authentication events
  • No key versioning or revocation history
  • Single key namespace (no scoped keys like "read-only" or "simulations-only")

These limitations will be addressed in future releases.

Upgrade Path

Existing v2.21.0 deployments can upgrade without code changes. API key authentication is optional and disabled by default.

For production deployments, enable authentication: 

gecko.api.auth-enabled=true
gecko.api.keys=your-secure-key-here

Then update clients to include the X-API-Key header in all requests.

See Also