Skip to content

feat: add env vars to restrict API key creation and usage to org owners#1007

Merged
brendan-kellam merged 4 commits intomainfrom
brendan/api-key-usage-controls-SOU-698
Mar 16, 2026
Merged

feat: add env vars to restrict API key creation and usage to org owners#1007
brendan-kellam merged 4 commits intomainfrom
brendan/api-key-usage-controls-SOU-698

Conversation

@brendan-kellam
Copy link
Contributor

@brendan-kellam brendan-kellam commented Mar 16, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS env var — when enabled, only org owners can create API keys
  • Adds DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS env var — when enabled, only org owners can create or authenticate with API keys (superset of the creation flag)
  • Deprecates EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS in favour of DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS (backwards-compatible via transform fallback)
  • Refactors getAuthenticatedUser to return a source field ('session' | 'oauth' | 'api_key') so getAuthContext can enforce the usage flag at the auth layer
  • Disables the "Create API Key" button in the settings UI with a tooltip when creation is restricted
  • Adds a layout guard that returns 404 for non-owners when DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS is set
  • Documents both new env vars in environment-variables.mdx

Fixes SOU-698

Test plan

  • With neither flag set, all users can create and use API keys as before
  • With DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS=true, non-owner members see the "Create API Key" button disabled with a tooltip; creation via the API returns 403
  • With DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS=true, non-owner members are redirected to 404 on the API Keys settings page; creation and API key authentication both return 403; owners are unaffected
  • Setting EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS=true still works as before (fallback to new var)

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

    • Added environment configuration options to restrict API key creation and usage to organization owners.
    • Introduced dedicated API Keys management page in organization settings with role-based visibility controls.

  • Deprecations

    • Deprecated legacy environment variable; replaced with new naming convention while maintaining backward compatibility.

@github-actions

This comment has been minimized.

Sign in to view
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 16, 2026
edited
Loading

Walkthrough

This PR introduces two new environment variables to restrict API key creation and usage exclusively to organization owners. It updates environment configuration with backward compatibility for a deprecated flag, implements permission checks in authentication and API key creation flows, refactors the API keys settings page into server and client components, adds client-side UI for managing keys, and includes comprehensive test coverage for the new restrictions.

Changes

Cohort / File(s) Summary
Configuration & Documentation
CHANGELOG.md, docs/docs/configuration/environment-variables.mdx		 Documents new environment variables DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS and DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS, and deprecates EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS with fallback support.
Environment Setup
packages/shared/src/env.server.ts		 Adds two public environment variables for API key restrictions with transform logic that reads the legacy EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS as fallback for backward compatibility.
Error Handling
packages/web/src/lib/errorCodes.ts		 Introduces API_KEY_USAGE_DISABLED error code to represent when non-owner users attempt to use API keys when restricted.
Authentication Logic
packages/web/src/withAuthV2.ts, packages/web/src/withAuthV2.test.ts		 Refactors getAuthenticatedUser to return both user and authentication source; adds early forbidden check in getAuthContext for API key usage restrictions on non-owners; expands tests to verify behavior with DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS flag.
API Key Creation Logic
packages/web/src/actions.ts		 Enforces dual-condition check: blocks API key creation if either DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS or DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS is enabled for non-owners; adds API_KEY_USAGE_DISABLED guard during key usage.
API Keys UI & Routing
packages/web/src/app/[domain]/settings/apiKeys/apiKeysPage.tsx, packages/web/src/app/[domain]/settings/apiKeys/layout.tsx, packages/web/src/app/[domain]/settings/apiKeys/page.tsx		 Introduces new server layout that enforces owner-only access via notFound() when DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS is enabled; refactors page.tsx to compute canCreateApiKey permission server-side and delegate rendering to new client component apiKeysPage.tsx; new component handles key listing, creation, reveal, and copy flows with loading and error states.
Navigation Visibility
packages/web/src/app/[domain]/settings/layout.tsx		 Makes API Keys sidebar navigation item conditional, hiding it for non-owners when DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS is enabled.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested labels

sourcebot-team

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main changes: adding environment variables to restrict API key creation and usage to organization owners.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch brendan/api-key-usage-controls-SOU-698
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam merged commit cf85620 into main Mar 16, 2026
8 checks passed
@brendan-kellam brendan-kellam deleted the brendan/api-key-usage-controls-SOU-698 branch March 16, 2026 20:25
@github-actions github-actions bot mentioned this pull request Mar 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam