Skip to content

feat: add env vars to restrict API key creation and usage to org owners #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brendan-kellam merged 4 commits into from
Mar 16, 2026
+510 −296
Merged

feat: add env vars to restrict API key creation and usage to org owners #1007

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
549f070
feat: add env vars to restrict API key creation and usage to org owners
brendan-kellam Mar 16, 2026
5f20e1c
chore: update CHANGELOG for #1007
brendan-kellam Mar 16, 2026
24b941d
chore: add Changed entry to CHANGELOG for deprecated env var
brendan-kellam Mar 16, 2026
f5ff9ea
fix(web): update withAuthV2 tests for getAuthenticatedUser source field
brendan-kellam Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Added AGENTS.md with Cursor Cloud development environment instructions. [#1001](https://github.com/sourcebot-dev/sourcebot/pull/1001)
- Added support for configuring SMTP via individual environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD) as an alternative to SMTP_CONNECTION_URL. [#1002](https://github.com/sourcebot-dev/sourcebot/pull/1002)
- Added `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` and `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` environment variables to restrict API key creation and usage to organization owners. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)

### Changed
- Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)

## [4.15.6] - 2026-03-13

Expand Down
3 changes: 3 additions & 0 deletions docs/docs/configuration/environment-variables.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ The following environment variables allow you to configure your Sourcebot deploy
| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
| `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
| `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |


### Review Agent Environment Variables
Expand Down
15 changes: 14 additions & 1 deletion packages/shared/src/env.server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,9 +246,22 @@ const options = {

SOURCEBOT_DEMO_EXAMPLES_PATH: z.string().optional(),

DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS: booleanSchema.default('false'),

DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS: booleanSchema
.optional()
.transform(value => {
return value ?? ((process.env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS as 'true' | 'false') ?? 'false');
}),

/**
* @deprecated Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.
*/
EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),


// Experimental Environment Variables
// @note: These environment variables are subject to change at any time and are not garunteed to be backwards compatible.
EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
EXPERIMENT_SELF_SERVE_REPO_INDEXING_ENABLED: booleanSchema.default('false'),
// @NOTE: Take care to update actions.ts when changing the name of this.
EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
Expand Down
15 changes: 14 additions & 1 deletion packages/web/src/actions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,19 @@ export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | unde
return notAuthenticated();
}

if (env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true') {
const membership = await prisma.userToOrg.findFirst({
where: { userId: user.id },
});
if (membership?.role !== OrgRole.OWNER) {
return {
statusCode: StatusCodes.FORBIDDEN,
errorCode: ErrorCode.API_KEY_USAGE_DISABLED,
message: "API key usage is disabled for non-admin users.",
} satisfies ServiceError;
}
}

await prisma.apiKey.update({
where: {
hash: apiKeyOrError.apiKey.hash,
Expand Down Expand Up @@ -312,7 +325,7 @@ export const verifyApiKey = async (apiKeyPayload: ApiKeyPayload): Promise<{ apiK
export const createApiKey = async (name: string, domain: string): Promise<{ key: string } | ServiceError> => sew(() =>
withAuth((userId) =>
withOrgMembership(userId, domain, async ({ org, userRole }) => {
if (env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS === 'true' && userRole !== OrgRole.OWNER) {
if ((env.DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS === 'true' || env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true') && userRole !== OrgRole.OWNER) {
logger.error(`API key creation is disabled for non-admin users. User ${userId} is not an owner.`);
return {
statusCode: StatusCodes.FORBIDDEN,
Expand Down
287 changes: 287 additions & 0 deletions packages/web/src/app/[domain]/settings/apiKeys/apiKeysPage.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,287 @@
'use client';

import { createApiKey, getUserApiKeys } from "@/actions";
import { Button } from "@/components/ui/button";
import { Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle, DialogTrigger } from "@/components/ui/dialog";
import { Input } from "@/components/ui/input";
import { isServiceError } from "@/lib/utils";
import { Copy, Check, AlertTriangle, Loader2, Plus } from "lucide-react";
import { useCallback, useEffect, useMemo, useState } from "react";
import { useDomain } from "@/hooks/useDomain";
import { useToast } from "@/components/hooks/use-toast";
import useCaptureEvent from "@/hooks/useCaptureEvent";
import { DataTable } from "@/components/ui/data-table";
import { columns, ApiKeyColumnInfo } from "./columns";
import { Skeleton } from "@/components/ui/skeleton";
import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from "@/components/ui/tooltip";

export function ApiKeysPage({ canCreateApiKey }: { canCreateApiKey: boolean }) {
const domain = useDomain();
const { toast } = useToast();
const captureEvent = useCaptureEvent();

const [apiKeys, setApiKeys] = useState<{ name: string; createdAt: Date; lastUsedAt: Date | null }[]>([]);
const [isLoading, setIsLoading] = useState(true);
const [isCreateDialogOpen, setIsCreateDialogOpen] = useState(false);
const [newKeyName, setNewKeyName] = useState("");
const [isCreatingKey, setIsCreatingKey] = useState(false);
const [newlyCreatedKey, setNewlyCreatedKey] = useState<string | null>(null);
const [copySuccess, setCopySuccess] = useState(false);
const [error, setError] = useState<string | null>(null);

const loadApiKeys = useCallback(async () => {
setIsLoading(true);
setError(null);
try {
const keys = await getUserApiKeys(domain);
if (isServiceError(keys)) {
setError("Failed to load API keys");
toast({
title: "Error",
description: "Failed to load API keys",
variant: "destructive",
});
return;
}
setApiKeys(keys);
} catch (error) {
console.error(error);
setError("Failed to load API keys");
toast({
title: "Error",
description: "Failed to load API keys",
variant: "destructive",
});
} finally {
setIsLoading(false);
}
}, [domain, toast]);

useEffect(() => {
loadApiKeys();
}, [loadApiKeys]);

const handleCreateApiKey = async () => {
if (!newKeyName.trim()) {
toast({
title: "Error",
description: "API key name cannot be empty",
variant: "destructive",
});
return;
}

setIsCreatingKey(true);
try {
const result = await createApiKey(newKeyName.trim(), domain);
if (isServiceError(result)) {
toast({
title: "Error",
description: `Failed to create API key: ${result.message}`,
variant: "destructive",
});
captureEvent('wa_api_key_creation_fail', {});

return;
}

setNewlyCreatedKey(result.key);
await loadApiKeys();
captureEvent('wa_api_key_created', {});
} catch (error) {
console.error(error);
toast({
title: "Error",
description: `Failed to create API key: ${error}`,
variant: "destructive",
});
captureEvent('wa_api_key_creation_fail', {});
} finally {
setIsCreatingKey(false);
}
};

const handleCopyApiKey = () => {
if (!newlyCreatedKey) return;

navigator.clipboard.writeText(newlyCreatedKey)
.then(() => {
setCopySuccess(true);
setTimeout(() => setCopySuccess(false), 2000);
})
.catch(() => {
toast({
title: "Error",
description: "Failed to copy API key to clipboard",
variant: "destructive",
});
});
};

const handleCloseDialog = () => {
setIsCreateDialogOpen(false);
setNewKeyName("");
setNewlyCreatedKey(null);
setCopySuccess(false);
};

const tableData = useMemo(() => {
if (isLoading) return Array(4).fill(null).map(() => ({
name: "",
createdAt: "",
lastUsedAt: null,
}));

if (!apiKeys) return [];

return apiKeys.map((key): ApiKeyColumnInfo => ({
name: key.name,
createdAt: key.createdAt.toISOString(),
lastUsedAt: key.lastUsedAt?.toISOString() ?? null,
})).sort((a, b) => {
return new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime();
});
}, [apiKeys, isLoading]);

const tableColumns = useMemo(() => {
if (isLoading) {
return columns().map((column) => {
if ('accessorKey' in column && column.accessorKey === "name") {
return {
...column,
cell: () => (
<div className="flex items-center gap-2">
<Skeleton className="h-4 w-4 rounded-md" /> {/* Icon skeleton */}
<Skeleton className="h-4 w-48" /> {/* Name skeleton */}
</div>
),
}
}

return {
...column,
cell: () => <Skeleton className="h-4 w-24" />,
}
})
}

return columns();
}, [isLoading]);

if (error) {
return <div>Error loading API keys</div>;
}

return (
<div className="flex flex-col gap-6">
<div className="flex flex-row items-center justify-between">
<div>
<h3 className="text-lg font-medium">API Keys</h3>
<p className="text-sm text-muted-foreground max-w-lg">
Create and manage API keys for programmatic access to Sourcebot. All API keys are scoped to the user who created them.
</p>
</div>

<TooltipProvider>
<Tooltip>
{!canCreateApiKey && (
<TooltipContent>
API key creation is restricted.
</TooltipContent>
)}
<TooltipTrigger asChild>
<span className={!canCreateApiKey ? "cursor-not-allowed" : undefined}>
<Dialog open={isCreateDialogOpen} onOpenChange={setIsCreateDialogOpen}>
<DialogTrigger asChild>
<Button
disabled={!canCreateApiKey}
className={!canCreateApiKey ? "pointer-events-none" : undefined}
onClick={() => {
setNewlyCreatedKey(null);
setNewKeyName("");
setIsCreateDialogOpen(true);
}}
>
<Plus className="h-4 w-4 mr-2" />
Create API Key
</Button>
</DialogTrigger>
<DialogContent className="sm:max-w-md">
<DialogHeader>
<DialogTitle>{newlyCreatedKey ? 'Your New API Key' : 'Create API Key'}</DialogTitle>
</DialogHeader>

{newlyCreatedKey ? (
<div className="space-y-4">
<div className="flex items-center gap-2 p-3 border border-yellow-200 dark:border-yellow-800 bg-yellow-50 dark:bg-yellow-900/20 rounded-md text-yellow-700 dark:text-yellow-400">
<AlertTriangle className="h-5 w-5 flex-shrink-0" />
<p className="text-sm">
This is the only time you&apos;ll see this API key. Make sure to copy it now.
</p>
</div>

<div className="flex items-center space-x-2">
<div className="bg-muted p-2 rounded-md text-sm flex-1 break-all font-mono">
{newlyCreatedKey}
</div>
<Button
size="icon"
variant="outline"
onClick={handleCopyApiKey}
>
{copySuccess ? (
<Check className="h-4 w-4 text-green-500" />
) : (
<Copy className="h-4 w-4" />
)}
</Button>
</div>
</div>
) : (
<div className="py-4">
<Input
value={newKeyName}
onChange={(e) => setNewKeyName(e.target.value)}
placeholder="Enter a name for your API key"
className="mb-2"
/>
</div>
)}

<DialogFooter className="sm:justify-between">
{newlyCreatedKey ? (
<Button onClick={handleCloseDialog}>
Done
</Button>
) : (
<>
<Button variant="outline" onClick={handleCloseDialog}>
Cancel
</Button>
<Button
onClick={handleCreateApiKey}
disabled={isCreatingKey || !newKeyName.trim()}
>
{isCreatingKey && <Loader2 className="h-4 w-4 mr-2 animate-spin" />}
Create
</Button>
</>
)}
</DialogFooter>
</DialogContent>
</Dialog>
</span>
</TooltipTrigger>
</Tooltip>
</TooltipProvider>
</div>

<DataTable
columns={tableColumns}
data={tableData}
searchKey="name"
searchPlaceholder="Search API keys..."
/>
</div>
);
}
Loading
Loading