diff --git a/auth/api_key.go b/auth/api_key.go
index 7f6c6ef993400691e3153be97077e818a6d5d61e..935505bee993a4594db461c61574eebe34b15eee 100644
--- a/auth/api_key.go
+++ b/auth/api_key.go
@@ -32,3 +32,14 @@ func GetApiKeyFromHeaders(headers map[string]string) string {
 	}
 	return ""
 }
+
+// MaskAPIKey masks an API key in the form "abc***xyz"
+func MaskAPIKey(key string) string {
+	keyRunes := []rune(key)
+	keyLength := len(keyRunes)
+	if keyLength > 6 {
+		return string(keyRunes[:3]) + "***" + string(keyRunes[keyLength-3:])
+	}
+	// This shouldn't happen, but if we don't have more than 6 characters, mask in the form "***z"
+	return "***" + string(keyRunes[keyLength-1])
+}