Skip to content

Allow apps to create API keys on behalf of users #500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow apps to create API keys on behalf of users #500

wants to merge 1 commit into from

Conversation

fmhall
Copy link
Contributor

@fmhall fmhall commented Sep 30, 2025
edited
Loading

Allow clients to create API keys on behalf of users. Designed for CLI apps, desktop apps, or apps that need to kick off long running jobs on the users behalf.

  • Show warning to users when this scope is requested
  • Handle scope in token issuance
  • Determine if a fresh API key should be created each time, if they should be reused, or if old ones should be archived when a new one with the same name ("Oauth generated API key") is created

It's also interesting to note that we aren't doing any validation/handling of scopes at the moment beyond ensuring they are a string.

Longer term

We want to enable CLI apps, desktop apps, etc. to allow users to authenticate and create API keys, without having to run a callback server.

Codex and Claude both spin up a callback server, since that works with no changes to a architecture like the one in this PR.

We could use the Device Code flow (RFC-8628), but that still requires the user to input a device code.

See initial questions in this tweet

@railway-app Railway App
Copy link

railway-app bot commented Sep 30, 2025
edited
Loading

🚅 Deployed to the echo-pr-500 environment in echo

Service Status Web Updated (UTC)
echo 🚨 Crashed (View Logs) Web Sep 30, 2025 at 8:40 pm

@vercel Vercel
Copy link

vercel bot commented Sep 30, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
assistant-ui-template Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-control Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-next-boilerplate Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-next-image Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-next-sdk-example Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-video-template Ready Ready Preview Comment Sep 30, 2025 7:32pm
echo-vite-sdk-example Ready Ready Preview Comment Sep 30, 2025 7:32pm
next-chat-template Ready Ready Preview Comment Sep 30, 2025 7:32pm
react-boilerplate Ready Ready Preview Comment Sep 30, 2025 7:32pm
react-chat Ready Ready Preview Comment Sep 30, 2025 7:32pm
react-image Ready Ready Preview Comment Sep 30, 2025 7:32pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
component-registry Skipped Skipped Sep 30, 2025 7:32pm

@railway-app railway-app bot temporarily deployed to echo (echo / echo-pr-500) September 30, 2025 19:30 Destroyed
@fmhall fmhall marked this pull request as ready for review September 30, 2025 19:54
@rsproule
Copy link
Contributor

rsproule commented Oct 1, 2025

did this a while ago and stashed it for some concerns #327

@rsproule
Copy link
Contributor

i can get on board with this but this is incomplete. We need:

  • show a warning or something inthe AuthZ page like:
    'you are creating a long lived access token, this can be revoked in echo website'
  • need to actually append this scope in that scenario
  • need to be able to tell when an authz was initiated with this "api_key:create" scope. Probably an additional url param
  • sdk / clients need to know how to create this url (ask for this scope)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fmhall @rsproule