Context

During an incident on dev.coder.com, we needed to urgently expire an API key that was stuck in a hot loop hitting the external-auth endpoint at ~60 rps. The only way to expire the key was via direct database access:

UPDATE api_keys SET expires_at = NOW() WHERE id = '...';

This is not ideal for operators who may not have direct DB access or want to avoid manual SQL.

Proposal

Add a coder tokens expire command that allows admins/owners to immediately expire a token by ID:

coder tokens expire <token-id>
coder tokens expire <token-id> --user <user>

This would complement the existing commands:

• coder tokens create
• coder tokens ls
• coder tokens view
• coder tokens rm

Implementation notes

• Could reuse the existing DELETE /api/v2/users/{user}/keys/{keyid} endpoint, or add a new PATCH endpoint to set expires_at = NOW()
• rm deletes the key entirely; expire would preserve it for audit trail purposes
• Should require appropriate RBAC permissions (token owner or admin)

Related

• Consider also logging API key ID in HTTP request logs for better forensics

Created on behalf of @johnstcn