Skip to content

ApiToken + mint/revoke + "Connect an agent" page #17

Closed
#52
Closed
ApiToken + mint/revoke + "Connect an agent" page#17
#52
Labels
ready-for-agentFully specified, ready for an agent to implement AFK
@CuriouslyCory

Description

@CuriouslyCory
CuriouslyCory
opened on May 26, 2026

Parent

PRD #2

What to build

A signed-in user can mint API tokens for agents and revoke them, from a "Connect an agent" page. Tokens are shown once and stored only as a hash (HMAC with a server-side pepper); a non-secret prefix is kept for display. Tokens carry scopes and an expiry.

Acceptance criteria

  • ApiToken model stores a hashed token (unique), display prefix, scopes, expiry, and revocation; schema synced
  • A user can mint a token (shown once) and revoke it from a "Connect an agent" page
  • The raw token is never stored or logged; only its hash and prefix persist
  • A server-side token pepper is added to the schema-validated environment (schema + runtime map)
  • Service tests cover mint, hash-at-rest, and revoke
  • pnpm check passes

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    ready-for-agentFully specified, ready for an agent to implement AFK

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions