sourcebot-dev
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 3 additions & 0 deletions b/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/shared/src/env.server.ts‎
Lines changed: 14 additions & 1 deletion b/‎packages/shared/src/env.server.ts‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎packages/web/src/actions.ts‎
Lines changed: 14 additions & 1 deletion b/‎packages/web/src/actions.ts‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎packages/web/src/app/[domain]/settings/apiKeys/apiKeysPage.tsx‎
Lines changed: 287 additions & 0 deletions b/‎packages/web/src/app/[domain]/settings/apiKeys/apiKeysPage.tsx‎
Lines changed: 287 additions & 0 deletions
@@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added AGENTS.md with Cursor Cloud development environment instructions. [#1001](https://github.com/sourcebot-dev/sourcebot/pull/1001)
 - Added support for configuring SMTP via individual environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD) as an alternative to SMTP_CONNECTION_URL. [#1002](https://github.com/sourcebot-dev/sourcebot/pull/1002)
+- Added `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` and `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` environment variables to restrict API key creation and usage to organization owners. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
+
+### Changed
+- Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
 
 ## [4.15.6] - 2026-03-13
 
 
@@ -53,6 +53,9 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
+| `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
+| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
+| `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 
 
 ### Review Agent Environment Variables
 
@@ -246,9 +246,22 @@ const options = {
 
         SOURCEBOT_DEMO_EXAMPLES_PATH: z.string().optional(),
 
+        DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS: booleanSchema.default('false'),
+
+        DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS: booleanSchema
+            .optional()
+            .transform(value => {
+                return value ?? ((process.env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS as 'true' | 'false') ?? 'false');
+            }),
+
+        /**
+         * @deprecated Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.
+         */
+        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
+
+
         // Experimental Environment Variables
         // @note: These environment variables are subject to change at any time and are not garunteed to be backwards compatible.
-        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_ENABLED: booleanSchema.default('false'),
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
 
@@ -82,6 +82,19 @@ export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | unde
                 return notAuthenticated();
             }
 
+            if (env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true') {
+                const membership = await prisma.userToOrg.findFirst({
+                    where: { userId: user.id },
+                });
+                if (membership?.role !== OrgRole.OWNER) {
+                    return {
+                        statusCode: StatusCodes.FORBIDDEN,
+                        errorCode: ErrorCode.API_KEY_USAGE_DISABLED,
+                        message: "API key usage is disabled for non-admin users.",
+                    } satisfies ServiceError;
+                }
+            }
+
             await prisma.apiKey.update({
                 where: {
                     hash: apiKeyOrError.apiKey.hash,
@@ -312,7 +325,7 @@ export const verifyApiKey = async (apiKeyPayload: ApiKeyPayload): Promise<{ apiK
 export const createApiKey = async (name: string, domain: string): Promise<{ key: string } | ServiceError> => sew(() =>
     withAuth((userId) =>
         withOrgMembership(userId, domain, async ({ org, userRole }) => {
-            if (env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS === 'true' && userRole !== OrgRole.OWNER) {
+            if ((env.DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS === 'true' || env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true') && userRole !== OrgRole.OWNER) {
                logger.error(`API key creation is disabled for non-admin users. User ${userId} is not an owner.`);
                return {
                 statusCode: StatusCodes.FORBIDDEN,
 
@@ -0,0 +1,287 @@
+'use client';
+
+import { createApiKey, getUserApiKeys } from "@/actions";
+import { Button } from "@/components/ui/button";
+import { Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle, DialogTrigger } from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { isServiceError } from "@/lib/utils";
+import { Copy, Check, AlertTriangle, Loader2, Plus } from "lucide-react";
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { useDomain } from "@/hooks/useDomain";
+import { useToast } from "@/components/hooks/use-toast";
+import useCaptureEvent from "@/hooks/useCaptureEvent";
+import { DataTable } from "@/components/ui/data-table";
+import { columns, ApiKeyColumnInfo } from "./columns";
+import { Skeleton } from "@/components/ui/skeleton";
+import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from "@/components/ui/tooltip";
+
+export function ApiKeysPage({ canCreateApiKey }: { canCreateApiKey: boolean }) {
+    const domain = useDomain();
+    const { toast } = useToast();
+    const captureEvent = useCaptureEvent();
+
+    const [apiKeys, setApiKeys] = useState<{ name: string; createdAt: Date; lastUsedAt: Date | null }[]>([]);
+    const [isLoading, setIsLoading] = useState(true);
+    const [isCreateDialogOpen, setIsCreateDialogOpen] = useState(false);
+    const [newKeyName, setNewKeyName] = useState("");
+    const [isCreatingKey, setIsCreatingKey] = useState(false);
+    const [newlyCreatedKey, setNewlyCreatedKey] = useState<string | null>(null);
+    const [copySuccess, setCopySuccess] = useState(false);
+    const [error, setError] = useState<string | null>(null);
+
+    const loadApiKeys = useCallback(async () => {
+        setIsLoading(true);
+        setError(null);
+        try {
+            const keys = await getUserApiKeys(domain);
+            if (isServiceError(keys)) {
+                setError("Failed to load API keys");
+                toast({
+                    title: "Error",
+                    description: "Failed to load API keys",
+                    variant: "destructive",
+                });
+                return;
+            }
+            setApiKeys(keys);
+        } catch (error) {
+            console.error(error);
+            setError("Failed to load API keys");
+            toast({
+                title: "Error",
+                description: "Failed to load API keys",
+                variant: "destructive",
+            });
+        } finally {
+            setIsLoading(false);
+        }
+    }, [domain, toast]);
+
+    useEffect(() => {
+        loadApiKeys();
+    }, [loadApiKeys]);
+
+    const handleCreateApiKey = async () => {
+        if (!newKeyName.trim()) {
+            toast({
+                title: "Error",
+                description: "API key name cannot be empty",
+                variant: "destructive",
+            });
+            return;
+        }
+
+        setIsCreatingKey(true);
+        try {
+            const result = await createApiKey(newKeyName.trim(), domain);
+            if (isServiceError(result)) {
+                toast({
+                    title: "Error",
+                    description: `Failed to create API key: ${result.message}`,
+                    variant: "destructive",
+                });
+                captureEvent('wa_api_key_creation_fail', {});
+
+                return;
+            }
+
+            setNewlyCreatedKey(result.key);
+            await loadApiKeys();
+            captureEvent('wa_api_key_created', {});
+        } catch (error) {
+            console.error(error);
+            toast({
+                title: "Error",
+                description: `Failed to create API key: ${error}`,
+                variant: "destructive",
+            });
+            captureEvent('wa_api_key_creation_fail', {});
+        } finally {
+            setIsCreatingKey(false);
+        }
+    };
+
+    const handleCopyApiKey = () => {
+        if (!newlyCreatedKey) return;
+
+        navigator.clipboard.writeText(newlyCreatedKey)
+            .then(() => {
+                setCopySuccess(true);
+                setTimeout(() => setCopySuccess(false), 2000);
+            })
+            .catch(() => {
+                toast({
+                    title: "Error",
+                    description: "Failed to copy API key to clipboard",
+                    variant: "destructive",
+                });
+            });
+    };
+
+    const handleCloseDialog = () => {
+        setIsCreateDialogOpen(false);
+        setNewKeyName("");
+        setNewlyCreatedKey(null);
+        setCopySuccess(false);
+    };
+
+    const tableData = useMemo(() => {
+        if (isLoading) return Array(4).fill(null).map(() => ({
+            name: "",
+            createdAt: "",
+            lastUsedAt: null,
+        }));
+
+        if (!apiKeys) return [];
+
+        return apiKeys.map((key): ApiKeyColumnInfo => ({
+            name: key.name,
+            createdAt: key.createdAt.toISOString(),
+            lastUsedAt: key.lastUsedAt?.toISOString() ?? null,
+        })).sort((a, b) => {
+            return new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime();
+        });
+    }, [apiKeys, isLoading]);
+
+    const tableColumns = useMemo(() => {
+        if (isLoading) {
+            return columns().map((column) => {
+                if ('accessorKey' in column && column.accessorKey === "name") {
+                    return {
+                        ...column,
+                        cell: () => (
+                            <div className="flex items-center gap-2">
+                                <Skeleton className="h-4 w-4 rounded-md" /> {/* Icon skeleton */}
+                                <Skeleton className="h-4 w-48" /> {/* Name skeleton */}
+                            </div>
+                        ),
+                    }
+                }
+
+                return {
+                    ...column,
+                    cell: () => <Skeleton className="h-4 w-24" />,
+                }
+            })
+        }
+
+        return columns();
+    }, [isLoading]);
+
+    if (error) {
+        return <div>Error loading API keys</div>;
+    }
+
+    return (
+        <div className="flex flex-col gap-6">
+            <div className="flex flex-row items-center justify-between">
+                <div>
+                    <h3 className="text-lg font-medium">API Keys</h3>
+                    <p className="text-sm text-muted-foreground max-w-lg">
+                        Create and manage API keys for programmatic access to Sourcebot. All API keys are scoped to the user who created them.
+                    </p>
+                </div>
+
+                <TooltipProvider>
+                    <Tooltip>
+                        {!canCreateApiKey && (
+                            <TooltipContent>
+                                API key creation is restricted.
+                            </TooltipContent>
+                        )}
+                        <TooltipTrigger asChild>
+                            <span className={!canCreateApiKey ? "cursor-not-allowed" : undefined}>
+                                <Dialog open={isCreateDialogOpen} onOpenChange={setIsCreateDialogOpen}>
+                                    <DialogTrigger asChild>
+                                        <Button
+                                            disabled={!canCreateApiKey}
+                                            className={!canCreateApiKey ? "pointer-events-none" : undefined}
+                                            onClick={() => {
+                                                setNewlyCreatedKey(null);
+                                                setNewKeyName("");
+                                                setIsCreateDialogOpen(true);
+                                            }}
+                                        >
+                                            <Plus className="h-4 w-4 mr-2" />
+                                            Create API Key
+                                        </Button>
+                                    </DialogTrigger>
+                                    <DialogContent className="sm:max-w-md">
+                                        <DialogHeader>
+                                            <DialogTitle>{newlyCreatedKey ? 'Your New API Key' : 'Create API Key'}</DialogTitle>
+                                        </DialogHeader>
+
+                                        {newlyCreatedKey ? (
+                                            <div className="space-y-4">
+                                                <div className="flex items-center gap-2 p-3 border border-yellow-200 dark:border-yellow-800 bg-yellow-50 dark:bg-yellow-900/20 rounded-md text-yellow-700 dark:text-yellow-400">
+                                                    <AlertTriangle className="h-5 w-5 flex-shrink-0" />
+                                                    <p className="text-sm">
+                                                        This is the only time you&apos;ll see this API key. Make sure to copy it now.
+                                                    </p>
+                                                </div>
+
+                                                <div className="flex items-center space-x-2">
+                                                    <div className="bg-muted p-2 rounded-md text-sm flex-1 break-all font-mono">
+                                                        {newlyCreatedKey}
+                                                    </div>
+                                                    <Button
+                                                        size="icon"
+                                                        variant="outline"
+                                                        onClick={handleCopyApiKey}
+                                                    >
+                                                        {copySuccess ? (
+                                                            <Check className="h-4 w-4 text-green-500" />
+                                                        ) : (
+                                                            <Copy className="h-4 w-4" />
+                                                        )}
+                                                    </Button>
+                                                </div>
+                                            </div>
+                                        ) : (
+                                            <div className="py-4">
+                                                <Input
+                                                    value={newKeyName}
+                                                    onChange={(e) => setNewKeyName(e.target.value)}
+                                                    placeholder="Enter a name for your API key"
+                                                    className="mb-2"
+                                                />
+                                            </div>
+                                        )}
+
+                                        <DialogFooter className="sm:justify-between">
+                                            {newlyCreatedKey ? (
+                                                <Button onClick={handleCloseDialog}>
+                                                    Done
+                                                </Button>
+                                            ) : (
+                                                <>
+                                                    <Button variant="outline" onClick={handleCloseDialog}>
+                                                        Cancel
+                                                    </Button>
+                                                    <Button
+                                                        onClick={handleCreateApiKey}
+                                                        disabled={isCreatingKey || !newKeyName.trim()}
+                                                    >
+                                                        {isCreatingKey && <Loader2 className="h-4 w-4 mr-2 animate-spin" />}
+                                                        Create
+                                                    </Button>
+                                                </>
+                                            )}
+                                        </DialogFooter>
+                                    </DialogContent>
+                                </Dialog>
+                            </span>
+                        </TooltipTrigger>
+                    </Tooltip>
+                </TooltipProvider>
+            </div>
+
+            <DataTable
+                columns={tableColumns}
+                data={tableData}
+                searchKey="name"
+                searchPlaceholder="Search API keys..."
+            />
+        </div>
+    );
+}