Using Mutual TLS to create api keys

I would just like a sanity check on my plan to implement API authentication/authorization.

  1. Authorized URLs are placed in a secure DB
  2. The client server places a GET request to api-key service with mutual TLS
  3. The URL in the cert is compared to the DB of authorized URLs, and the cert itself checked for validity
  4. A 512bit API key is generated from a CSRNG, SHA hashed, then the hash of the key is stored in a secure location. This key expires after 8 hours
  5. Subsequent requests from the client server place this key in the authorization header and are compared to the stored hash for validity

Are there any problems with this approach that should give me pause?