diff --git a/server/controllers/session.controller.js b/server/controllers/session.controller.js
index 4b4e3025..c096bb85 100644
--- a/server/controllers/session.controller.js
+++ b/server/controllers/session.controller.js
@@ -13,7 +13,7 @@ export function createSession(req, res, next) {
         email: req.user.email,
         username: req.user.username,
         preferences: req.user.preferences,
-        apiKeys: req.user.apiKeys,
+        apiKeys: req.user.publicApiKeys,
         verified: req.user.verified,
         id: req.user._id
       });
@@ -27,7 +27,7 @@ export function getSession(req, res) {
       email: req.user.email,
       username: req.user.username,
       preferences: req.user.preferences,
-      apiKeys: req.user.apiKeys,
+      apiKeys: req.user.publicApiKeys,
       verified: req.user.verified,
       id: req.user._id
     });
diff --git a/server/models/user.js b/server/models/user.js
index 7e3dab45..ef0ded8f 100644
--- a/server/models/user.js
+++ b/server/models/user.js
@@ -16,6 +16,10 @@ const apiKeySchema = new Schema({
   hashedKey: { type: String, required: true },
 }, { timestamps: true, _id: true });
 
+apiKeySchema.virtual('publicFields').get(function publicFields() {
+  return { id: this.id, label: this.label, lastUsedAt: this.lastUsedAt };
+});
+
 apiKeySchema.virtual('id').get(function getApiKeyId() {
   return this._id.toHexString();
 });
@@ -95,6 +99,11 @@ userSchema.virtual('id').get(function idToString() {
   return this._id.toHexString();
 });
 
+userSchema.virtual('publicApiKeys').get(function publicApiKeys() {
+  return this.apiKeys.map(apiKey => apiKey.publicFields);
+});
+
+
 userSchema.set('toJSON', {
   virtuals: true
 });