fix(mcp-server-admin): correct CreateApiKey GraphQL mutation#173
Merged
dsklyar merged 1 commit intoJun 2, 2026
Conversation
The hand-rolled CreateApiKey mutation selected `scopes` without subfields
and queried a non-existent top-level `token` field, causing every
`admin_create_api_key` invocation to 400 with GRAPHQL_VALIDATION_FAILED.
Fixes ZEL-7752 by:
- selecting `scopes { id name }` per the CreatedApiKey schema
- reading the plain-text token from its real location at
`createApiKey.apiKey.apiKey` and re-exposing it as `token` so the
public `{ apiKey, token }` return shape is unchanged
- adding a regression test that exercises AdminMixin.createApiKey
against a stubbed fetch to guard the mutation body and adapter
@transcend-io/airgap.js-types
@transcend-io/cli
@transcend-io/internationalization
@transcend-io/privacy-types
@transcend-io/sdk
@transcend-io/type-utils
@transcend-io/utils
@transcend-io/mcp
@transcend-io/mcp-server-admin
@transcend-io/mcp-server-assessment
@transcend-io/mcp-server-base
@transcend-io/mcp-server-consent
@transcend-io/mcp-server-discovery
@transcend-io/mcp-server-dsr
@transcend-io/mcp-server-inventory
@transcend-io/mcp-server-preferences
@transcend-io/mcp-server-workflows
commit: |
dawson-turechek-transcend
approved these changes
Jun 2, 2026
Member
dawson-turechek-transcend
left a comment
dawson-turechek-transcend
left a comment
There was a problem hiding this comment.
Looks good!
| createApiKey: { apiKey: ApiKey & { apiKey: string } }; | ||
| }>(mutation, { input }); | ||
| const { apiKey: token, ...apiKey } = data.createApiKey.apiKey; | ||
| return { apiKey, token }; |
There was a problem hiding this comment.
Unrelated spitballing: I'm curious how we might be able to keep these consistent with the backend or proactively detect a mismatch.
Putting the api definitions in a package is probably too much friction for development in the main repo.
Maybe we could eventually have a CI step to run these against staging BE?
Contributor
Author
There was a problem hiding this comment.
I had the same thought yesterday and started to look into options on to how to use our staging schema to check in tools CI for any gql regressions. Will post PR for review once ready
dsklyar
deleted the
danielsklyar/zel-7752-agentic-assist-admin_create_api_key-graphql-mutation
branch
dsklyar
added a commit
that referenced
this pull request
Jun 2, 2026
PR #173 (`fix(mcp-server-admin): correct CreateApiKey GraphQL mutation`) landed on main while this branch was open. It addresses the same CreateApiKey schema drift our 47801a1 already fixes, but as a hand-rolled mutation rather than via the typed `graphql()` migration. Resolution: - packages/mcp/mcp-server-admin/src/graphql.ts: keep the typed graphql() form (strict superset of #173's fix). - packages/mcp/mcp-server-admin/tests/admin.test.ts: keep all of #173's regression tests, with the two assertions that hard-coded the pre-migration mutation name (`CreateApiKey`) and return shape (`{ apiKey, token }`) updated to match the post-migration realities (`AdminCreateApiKey`, flat `CreatedApiKey`). The structural guards from #173 -- `scopes { id name }` is selected, no bare top-level `token`, plain-text token never leaks back onto the result -- are preserved verbatim. - Both #173's changeset (`fix-admin-create-api-key-mutation.md`) and ours (`zel-7752-graphql-codegen-*.md`) are kept; changesets dedupe on next version PR with the highest bump winning.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The hand-rolled
CreateApiKeymutation in@transcend-io/mcp-server-adminselectedscopeswithout subfields and queried a non-existent top-leveltokenfield, so everyadmin_create_api_keyinvocation 400'd withGRAPHQL_VALIDATION_FAILEDand Agentic Assist could not create API keys.Related Issues
Changes
apiKey { id title apiKey scopes { id name } createdAt }per theCreatedApiKeyschema intranscend-io/main.data.createApiKey.apiKey.apiKeyso the public{ apiKey, token }return shape is unchanged —admin_create_api_key.tsand other downstream callers needed no edits.ApiKeytype in@transcend-io/mcp-server-basealready declaresscopes: ApiKeyScope[], matchinglistApiKeys, so no type changes were required.Test plan
pnpm --filter @transcend-io/mcp-server-admin test(7/7 pass)pnpm --filter @transcend-io/mcp-server-admin typecheckAdminMixin.createApiKeyagainst a stubbedfetch, asserting (a) the mutation body contains the corrected selection set and no top-leveltoken, and (b) the token is sourced from the nestedapiKey.apiKeyfield and not leaked back onto the returnedapiKeyobject.@transcend-io/mcppatch release lands intranscend-io/main.Release
Includes a patch changeset for
@transcend-io/mcp-server-admin.@transcend-io/mcpcascades automatically viaupdateInternalDependencies: "patch"in.changeset/config.json. Bumping@transcend-io/mcpintranscend-io/main/backend-services/transcend-mcp-server/package.jsonis out-of-scope for this PR (tracked on ZEL-7752).Closes ZEL-7752.
Demo(s)
Before
After