Skip to content

feat: add API key management endpoints#348

Merged
greatest0fallt1me merged 2 commits into
CalloraOrg:mainfrom
isaacCodes1:feature/api-key-management-endpoints
May 27, 2026
Merged

feat: add API key management endpoints#348
greatest0fallt1me merged 2 commits into
CalloraOrg:mainfrom
isaacCodes1:feature/api-key-management-endpoints

Conversation

@isaacCodes1

@isaacCodes1 isaacCodes1 commented May 26, 2026

Copy link
Copy Markdown

Overview

This PR adds authenticated API-key lifecycle endpoints so developers can create, list, and revoke keys backed by apiKeyRepository. It returns the plaintext API key exactly once at creation time, stores only the hash and prefix, and exposes masked key metadata for later management.

Related Issue

Closes #327

Changes

🔑 API Key Management Endpoints

  • [ADD] src/routes/apiKeyRoutes.ts
  • Added authenticated endpoints to create, list, and revoke API keys.
  • Returns the plaintext API key exactly once on creation.
  • Enforces API ownership before key management operations are allowed.
  • Uses Zod validation for params and request bodies.

🗄️ Repository Updates

  • [MODIFY] src/repositories/apiKeyRepository.ts
  • Extended key creation to return creation metadata alongside the one-time plaintext key.
  • Added list support for developer/API-scoped key retrieval.
  • Preserved hashed-key storage and revocation behavior.

🌐 Routing Integration

  • [MODIFY] src/routes/index.ts

  • Mounted the API-key lifecycle router under the main /api route tree.

  • [MODIFY] src/app.ts

  • Wired app route creation so the new API-key routes use the configured repositories.

  • Removed the older ad-hoc revoke endpoint in favor of the dedicated router.

🧪 Tests

  • [MODIFY] src/routes/apiKeyRoutes.test.ts

  • Added route coverage for create, list, revoke, auth, ownership, and validation behavior.

  • [MODIFY] src/repositories/apiKeyRepository.test.ts

  • Added repository coverage for returned creation metadata and developer/API key listing.

  • [VERIFY] src/middleware/gatewayApiKeyAuth.test.ts

  • Confirmed revoked keys are rejected by gateway auth.

📚 Documentation

  • [MODIFY] README.md
  • Documented the new API-key management endpoints and the one-time plaintext-key behavior.

Verification Results

Acceptance Criteria Status
Plaintext key is shown only at creation
Listing masks key values and shows revoked status
Revoked keys are rejected by gateway auth
API-key lifecycle routes are authenticated
Validation errors return field details

Screenshots

✅ Repository and route tests

A screenshot of:

npm test -- src/repositories/apiKeyRepository.test.ts src/routes/apiKeyRoutes.test.ts
image ### ✅ Gateway auth revoke behavior A screenshot of:
npm test -- src/middleware/gatewayApiKeyAuth.test.ts
image

@drips-wave

drips-wave Bot commented May 26, 2026

Copy link
Copy Markdown

@isaacCodes1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@greatest0fallt1me greatest0fallt1me merged commit 55fd538 into CalloraOrg:main May 27, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add API-key lifecycle endpoints (create, list, revoke) backed by apiKeyRepository

3 participants