feat: onboarding success step

[ogzhanolguncu]

What does this PR do?

This PR completes the new onboarding flow by adding a success step that includes cURL examples so users can immediately test their newly created API key. The step uses the shared component from the existing key-create flow for consistency.
Also removes the old /new endpoint as part of this migration. The shared component remains in the key-create directory since it's unlikely to be reused elsewhere in the codebase.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

1. Get rid of every workspace you have or wipe the db
2. Sign in and make sure you land on /new route
3. Create a new workspace, API and Key with some configurations
4. Make sure the key you created exists
5. Make sure key configuration is reflected correctly
6. Create one more workspace after your wipe to make sure you can create more workspaces

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• New Features

  • Introduced new onboarding components, including onboarding fallback and success step with confirmation popover.
  • Added a dedicated section for securely displaying and copying API keys with masking and visibility toggle.
  • Enhanced onboarding wizard with support for loading states and step skipping.
  • Added user and help buttons to onboarding UI.

• Improvements

  • Streamlined onboarding flow to a single unified experience.
  • Enhanced workspace and API key creation steps with improved validation, error handling, and tooltips.
  • Sidebar and user menu now better handle mobile and collapsed states for improved navigation.
  • Updated onboarding step titles and descriptions for clarity.
  • Made tooltip content for disabled settings dynamic.
  • Improved event handling in expandable settings to prevent unintended interactions.

• Bug Fixes

  • Fixed dropdown menu alignment in help and user buttons.

• Refactor

  • Modularized and simplified key creation logic for maintainability.
  • Refactored user button to accept external state for sidebar and mobile responsiveness.
  • Replaced inline API key display logic with a reusable component.

• Chores

  • Removed obsolete onboarding and key creation components and related routes.
  • Deleted workspace and ratelimit creation components no longer in use.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d4d0b00

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This change overhauls the onboarding flow in the dashboard app, consolidating multiple onboarding steps into a single, streamlined wizard. It introduces new components and hooks for workspace and API key creation, updates UI elements for onboarding, and refactors supporting logic. Several obsolete onboarding files are removed, and related backend mutations are modularized for clarity and reuse.

Changes

File(s) / Group	Change Summary
apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-created-success-dialog.tsx .../key-secret-section.tsx	Refactored dialog to use new KeySecretSection component; introduced KeySecretSection for displaying API key and usage snippet.
apps/dashboard/app/new/components/onboarding-content.tsx .../onboarding-success-step.tsx .../onboarding-fallback.tsx .../onboarding-wizard.tsx .../expandable-settings.tsx	Introduced/renamed onboarding components; added user/help buttons, confirmation modal, and improved step logic for onboarding wizard.
apps/dashboard/app/new/hooks/use-key-creation-step.tsx .../use-workspace-step.tsx	Enhanced key creation hook for combined API/key creation; added new workspace step hook for onboarding.
apps/dashboard/app/new/constants.ts	Added constants for key and API ID params; updated onboarding step info.
apps/dashboard/app/new/page.tsx	Replaced complex onboarding routing with a single Suspense boundary rendering new onboarding content.
apps/dashboard/components/navigation/sidebar/app-sidebar/index.tsx .../sidebar-mobile.tsx .../user-button.tsx .../help-button.tsx	Updated sidebar and user/help button components to support new props and alignment; refactored UserButton to accept external state.
apps/dashboard/app/new/create-api.tsx .../create-ratelimit.tsx .../create-workspace.tsx .../keys.tsx	Deleted legacy onboarding and API/key creation components.
apps/dashboard/lib/trpc/routers/key/create.ts .../workspace/onboarding.ts	Refactored key creation mutation to extract core logic into reusable function; updated onboarding mutation input schema.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OnboardingContent
    participant OnboardingWizard
    participant useWorkspaceStep
    participant useKeyCreationStep
    participant TRPC_API
    participant Router

    User->>OnboardingContent: Visit onboarding page
    OnboardingContent->>OnboardingWizard: Render steps
    OnboardingWizard->>useWorkspaceStep: Render workspace creation form
    User->>useWorkspaceStep: Submit workspace info
    useWorkspaceStep->>TRPC_API: Create workspace
    TRPC_API-->>useWorkspaceStep: Workspace created
    useWorkspaceStep->>TRPC_API: Switch organization session
    TRPC_API-->>useWorkspaceStep: Session switched
    useWorkspaceStep-->>OnboardingWizard: Advance to next step
    OnboardingWizard->>useKeyCreationStep: Render API/key creation form
    User->>useKeyCreationStep: Submit API/key info
    useKeyCreationStep->>TRPC_API: Create API and key
    TRPC_API-->>useKeyCreationStep: API/key created
    useKeyCreationStep-->>OnboardingWizard: Advance to success step
    OnboardingWizard->>OnboardingSuccessStep: Show key and confirmation
    User->>OnboardingSuccessStep: Confirm and finish
    OnboardingSuccessStep->>Router: Redirect to "/apis"

Loading

Possibly related PRs

• feat: keys create wizard #3156: Introduces a multi-step key creation wizard dialog and related components, including a KeyCreatedSuccessDialog component, overlapping with the updated dialog and UI components in this PR.

Suggested labels

Feature, Dashboard

Suggested reviewers

• perkinsjr
• mcstepp
• chronark

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
dashboard	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 11, 2025 2:06pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
engineering	⬜️ Ignored (Inspect)	Visit Preview		Jul 11, 2025 2:06pm

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

apps/dashboard/lib/trpc/routers/key/create.ts (1)

24-39: Previous error handling concern has been addressed.

The keyAuth query now has proper error handling with the .catch() block, addressing the previous review comment about missing error handling.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec906b2 and e4ea2fb.

📒 Files selected for processing (1)

• apps/dashboard/lib/trpc/routers/key/create.ts (4 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2825
File: apps/dashboard/app/(app)/logs-v2/hooks/use-bookmarked-filters.ts:0-0
Timestamp: 2025-01-30T20:51:44.359Z
Learning: The user (ogzhanolguncu) prefers to handle refactoring suggestions in separate PRs to maintain focus in the current PR.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: In the Unkey dashboard, when making database queries involving workspaces, use `ctx.workspace.id` directly instead of fetching the workspace separately for better performance and security.

Learnt from: chronark
PR: unkeyed/unkey#2693
File: apps/api/src/routes/v1_keys_updateKey.ts:350-368
Timestamp: 2024-11-29T15:15:47.308Z
Learning: In `apps/api/src/routes/v1_keys_updateKey.ts`, the code intentionally handles `externalId` and `ownerId` separately for clarity. The `ownerId` field will be removed in the future, simplifying the code.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3297
File: apps/dashboard/lib/trpc/routers/authorization/roles/query.ts:210-323
Timestamp: 2025-06-04T20:13:12.060Z
Learning: The user ogzhanolguncu prefers explicit, duplicated code over abstracted helper functions when it improves readability, even if it means some duplication in filter building functions in the authorization roles query module.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3480
File: apps/dashboard/app/new-2/hooks/use-workspace-step.tsx:47-79
Timestamp: 2025-07-09T11:35:51.724Z
Learning: In the Unkey codebase, ogzhanolguncu prefers to keep invariant checks that throw errors for cases that shouldn't happen in normal operation (like null workspace ID checks), rather than adding graceful error handling code for edge cases that would only occur if someone tampers with the actual flow.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3375
File: apps/dashboard/app/(app)/settings/root-keys/components/table/hooks/use-root-keys-list-query.ts:0-0
Timestamp: 2025-06-25T20:32:10.471Z
Learning: In the Unkey codebase, ogzhanolguncu prefers strict validation with fail-fast error handling. When validation errors occur that shouldn't happen in normal operation (like invalid operators), throwing errors to crash the page is preferred over graceful error handling or console logging.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3499
File: apps/dashboard/app/new/hooks/use-workspace-step.tsx:19-26
Timestamp: 2025-07-11T13:00:05.347Z
Learning: In the Unkey codebase, ogzhanolguncu prefers to keep commented code for planned future features (like slug-based workspaces) rather than removing it, as it serves as a reference for upcoming implementation.

apps/dashboard/lib/trpc/routers/key/create.ts (12)

Learnt from: chronark
PR: unkeyed/unkey#2693
File: apps/api/src/routes/v1_keys_updateKey.ts:350-368
Timestamp: 2024-11-29T15:15:47.308Z
Learning: In `apps/api/src/routes/v1_keys_updateKey.ts`, the code intentionally handles `externalId` and `ownerId` separately for clarity. The `ownerId` field will be removed in the future, simplifying the code.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: In the Unkey dashboard, when making database queries involving workspaces, use `ctx.workspace.id` directly instead of fetching the workspace separately for better performance and security.

Learnt from: mcstepp
PR: unkeyed/unkey#3210
File: apps/dashboard/app/new/page.tsx:3-3
Timestamp: 2025-04-30T15:25:33.917Z
Learning: There are two different `getAuth` functions in the Unkey codebase with different purposes:
1. `@/lib/auth/get-auth` - Base function without redirects, used in special cases on the dashboard where redirect control is needed (like `/new` page) and within tRPC context
2. `@/lib/auth` - Helper function with redirects, used in most dashboard cases (approximately 98%)

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3292
File: apps/dashboard/lib/vault.ts:80-97
Timestamp: 2025-06-02T11:08:56.397Z
Learning: The vault.ts file in apps/dashboard/lib/vault.ts is a duplicate of the vault package from the `api` directory and should be kept consistent with that original implementation.

Learnt from: chronark
PR: unkeyed/unkey#2294
File: apps/api/src/pkg/keys/service.ts:268-271
Timestamp: 2024-10-20T07:05:55.471Z
Learning: In `apps/api/src/pkg/keys/service.ts`, `ratelimitAsync` is a table relation, not a column selection. When querying, ensure that table relations are included appropriately, not as columns.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3292
File: apps/dashboard/lib/vault.ts:60-78
Timestamp: 2025-06-02T11:09:05.843Z
Learning: The vault implementation in `apps/dashboard/lib/vault.ts` is a duplicate of the vault package from `api` and should be kept consistent with the original implementation.

Learnt from: chronark
PR: unkeyed/unkey#2180
File: apps/dashboard/lib/constants/workspace-navigations.tsx:56-118
Timestamp: 2024-10-04T20:44:38.489Z
Learning: When typing the `workspace` parameter in functions like `createWorkspaceNavigation`, prefer importing the `Workspace` type from the database module and picking the necessary keys (e.g., `features`) instead of redefining the interface.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: When querying or updating namespaces in the Unkey dashboard, always scope the operations to the current workspace using `eq(table.workspaceId, ctx.workspace.id)` to prevent cross-workspace access.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3292
File: apps/dashboard/lib/trpc/routers/key/create.ts:11-14
Timestamp: 2025-06-02T11:09:58.791Z
Learning: In the unkey codebase, TypeScript and the env() function implementation already provide sufficient validation for environment variables, so additional runtime error handling for missing env vars is not needed.

Learnt from: mcstepp
PR: unkeyed/unkey#3254
File: apps/dashboard/components/logs/hooks/use-bookmarked-filters.ts:183-195
Timestamp: 2025-05-13T14:38:44.134Z
Learning: When working with browser storage (like localStorage) in this codebase, always implement try/catch blocks to handle Safari quirks and other browser-specific issues that users have been experiencing. Safari Private Browsing mode in particular can throw errors when accessing localStorage.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3324
File: apps/dashboard/app/(app)/authorization/roles/components/table/components/actions/keys-table-action.popover.constants.tsx:17-18
Timestamp: 2025-06-19T11:48:05.070Z
Learning: In the authorization roles refactor, the RoleBasic type uses `roleId` as the property name for the role identifier, not `id`. This is consistent throughout the codebase in apps/dashboard/lib/trpc/routers/authorization/roles/query.ts.

Learnt from: Flo4604
PR: unkeyed/unkey#2955
File: go/apps/api/routes/v2_identities_create_identity/handler.go:162-202
Timestamp: 2025-03-19T09:25:59.751Z
Learning: In the Unkey codebase, input validation for API endpoints is primarily handled through OpenAPI schema validation, which occurs before requests reach the handler code. For example, in the identities.createIdentity endpoint, minimum values for ratelimit duration and limit are defined in the OpenAPI schema rather than duplicating these checks in the handler.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

apps/dashboard/lib/trpc/routers/key/create.ts (3)

1-4: Import organization looks good!

The addition of CreateKeyInput type import is necessary for the new function signature, and the code organization is clean.

Also applies to: 13-13

---

68-78: Well-structured type definitions!

The CreateKeyContext type properly captures the required context fields, and the DatabaseTransaction type extraction is a clean way to get the transaction type without importing internal types.

---

79-163: Excellent extraction of key creation logic!

The createKeyCore function is well-structured with:

• Proper transaction usage for atomicity
• Correct handling of optional features (encryption, rate limits)
• Comprehensive audit logging
• Clean separation of concerns

This refactoring enables reuse in the onboarding flow while maintaining consistency.

[perkinsjr]

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (07/11/25)

1 gif was posted to this PR based on Andreas Thomas's automation.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 66585e0 and d4d0b00.

📒 Files selected for processing (1)

• apps/dashboard/app/new/constants.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2825
File: apps/dashboard/app/(app)/logs-v2/hooks/use-bookmarked-filters.ts:0-0
Timestamp: 2025-01-30T20:51:44.359Z
Learning: The user (ogzhanolguncu) prefers to handle refactoring suggestions in separate PRs to maintain focus in the current PR.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: In the Unkey dashboard, when making database queries involving workspaces, use `ctx.workspace.id` directly instead of fetching the workspace separately for better performance and security.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3297
File: apps/dashboard/lib/trpc/routers/authorization/roles/query.ts:210-323
Timestamp: 2025-06-04T20:13:12.060Z
Learning: The user ogzhanolguncu prefers explicit, duplicated code over abstracted helper functions when it improves readability, even if it means some duplication in filter building functions in the authorization roles query module.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3480
File: apps/dashboard/app/new-2/hooks/use-workspace-step.tsx:47-79
Timestamp: 2025-07-09T11:35:51.724Z
Learning: In the Unkey codebase, ogzhanolguncu prefers to keep invariant checks that throw errors for cases that shouldn't happen in normal operation (like null workspace ID checks), rather than adding graceful error handling code for edge cases that would only occur if someone tampers with the actual flow.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3375
File: apps/dashboard/app/(app)/settings/root-keys/components/table/hooks/use-root-keys-list-query.ts:0-0
Timestamp: 2025-06-25T20:32:10.471Z
Learning: In the Unkey codebase, ogzhanolguncu prefers strict validation with fail-fast error handling. When validation errors occur that shouldn't happen in normal operation (like invalid operators), throwing errors to crash the page is preferred over graceful error handling or console logging.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3499
File: apps/dashboard/app/new/hooks/use-workspace-step.tsx:19-26
Timestamp: 2025-07-11T13:00:05.347Z
Learning: In the Unkey codebase, ogzhanolguncu prefers to keep commented code for planned future features (like slug-based workspaces) rather than removing it, as it serves as a reference for upcoming implementation.

apps/dashboard/app/new/constants.ts (3)

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3292
File: apps/dashboard/lib/vault.ts:80-97
Timestamp: 2025-06-02T11:08:56.397Z
Learning: The vault.ts file in apps/dashboard/lib/vault.ts is a duplicate of the vault package from the `api` directory and should be kept consistent with that original implementation.

Learnt from: chronark
PR: unkeyed/unkey#2146
File: apps/dashboard/app/(app)/apis/[apiId]/settings/default-prefix.tsx:74-75
Timestamp: 2024-10-04T17:27:09.821Z
Learning: In `apps/dashboard/app/(app)/apis/[apiId]/settings/default-prefix.tsx`, the hidden `<input>` elements for `workspaceId` and `keyAuthId` work correctly without being registered with React Hook Form.

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3292
File: apps/dashboard/lib/vault.ts:60-78
Timestamp: 2025-06-02T11:09:05.843Z
Learning: The vault implementation in `apps/dashboard/lib/vault.ts` is a duplicate of the vault package from `api` and should be kept consistent with the original implementation.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Test Packages / Test ./apps/dashboard
• GitHub Check: Test Packages / Test ./internal/id
• GitHub Check: Test Packages / Test ./internal/resend
• GitHub Check: Test Packages / Test ./internal/clickhouse
• GitHub Check: Analyze (javascript-typescript)