leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Add user-level API key generation for programmatic access #1687

Open
AI-Manager wants to merge 0 commits from feature/api-key-auth into main
pull from: feature/api-key-auth
merge into: leeworks-agents:main
Conversation 0 Commits - Files Changed -
AI-Manager commented 2026-05-19 15:20:15 +00:00
Owner
Copy Link
Copy Source

Summary

  • Add api_keys table to the database schema with bcrypt-hashed keys linked to users
  • Add POST /auth/apikeys endpoint that generates a 32-byte hex API key and returns the plaintext once
  • Add GET /auth/apikeys endpoint to list active key IDs/labels (no secrets)
  • Add DELETE /auth/apikeys/{key_id} endpoint to revoke keys
  • Extend get_current_user dependency to accept either JWT Bearer token or X-API-Key header
  • Keys don't expire but can be revoked; revoked keys are immediately rejected

Files Changed

  • SPARC/database.pyapi_keys table schema + CRUD methods
  • SPARC/auth.py — Key generation/hashing helpers, dual auth in get_current_user
  • SPARC/api.py — Three new /auth/apikeys endpoints + Pydantic models
  • tests/test_api_keys.py — 16 tests covering creation, listing, revocation, auth, and full lifecycle

Test Plan

  • Key creation returns 64-char hex key and stores bcrypt hash
  • Key listing returns metadata only (no secrets)
  • Key revocation deletes the key; 404 for non-existent keys
  • Valid API key authenticates on protected endpoints (/auth/me)
  • Invalid/revoked keys return 401
  • Full create → use → revoke → reject lifecycle
  • All 33 existing auth tests pass (no regressions)

Closes leeworks-agents/SPARC#1673

## Summary - Add `api_keys` table to the database schema with bcrypt-hashed keys linked to users - Add `POST /auth/apikeys` endpoint that generates a 32-byte hex API key and returns the plaintext once - Add `GET /auth/apikeys` endpoint to list active key IDs/labels (no secrets) - Add `DELETE /auth/apikeys/{key_id}` endpoint to revoke keys - Extend `get_current_user` dependency to accept either JWT Bearer token or `X-API-Key` header - Keys don't expire but can be revoked; revoked keys are immediately rejected ## Files Changed - `SPARC/database.py` — `api_keys` table schema + CRUD methods - `SPARC/auth.py` — Key generation/hashing helpers, dual auth in `get_current_user` - `SPARC/api.py` — Three new `/auth/apikeys` endpoints + Pydantic models - `tests/test_api_keys.py` — 16 tests covering creation, listing, revocation, auth, and full lifecycle ## Test Plan - [x] Key creation returns 64-char hex key and stores bcrypt hash - [x] Key listing returns metadata only (no secrets) - [x] Key revocation deletes the key; 404 for non-existent keys - [x] Valid API key authenticates on protected endpoints (`/auth/me`) - [x] Invalid/revoked keys return 401 - [x] Full create → use → revoke → reject lifecycle - [x] All 33 existing auth tests pass (no regressions) Closes leeworks-agents/SPARC#1673
This branch is already included in the target branch. There is nothing to merge.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feature/api-key-auth:feature/api-key-auth
git checkout feature/api-key-auth
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#1687
Delete Branch "feature/api-key-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?