Skip to content

feat: add paginated endpoint for developers to list their own API keys#577

Merged
greatest0fallt1me merged 1 commit into
CalloraOrg:mainfrom
Deyanju23:feat/developer-list-own-api-keys
Jun 29, 2026
Merged

feat: add paginated endpoint for developers to list their own API keys#577
greatest0fallt1me merged 1 commit into
CalloraOrg:mainfrom
Deyanju23:feat/developer-list-own-api-keys

Conversation

@Deyanju23

@Deyanju23 Deyanju23 commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Closes #412

Summary

Adds a secure endpoint that allows authenticated developers to list only their own API keys. The response exposes only public-safe metadata and never returns API key secrets or hashes.

Changes

API Endpoint

Added a new authenticated route that returns the current developer's API keys.

The endpoint:

  • uses the existing requireAuth middleware
  • enforces developer ownership
  • queries apiKeyRepository
  • supports cursor-based pagination

Response Shape

Each API key includes only public-safe fields:

  • id
  • prefix
  • created_at
  • last_used_at
  • revoked_at

The endpoint never returns:

  • full API keys
  • key hashes
  • secret values
  • any sensitive credential material

Repository

Updated src/repositories/apiKeyRepository.ts to:

  • query API keys scoped to the authenticated developer
  • support cursor-based pagination
  • return only the required public fields

Security

Implemented strict tenant isolation:

  • developers can only access their own API keys
  • cross-tenant enumeration is prevented
  • sensitive fields are excluded at the query/serialization layer

Tests

Added/updated tests covering:

  • authenticated developer lists their own API keys
  • response contains only allowed fields
  • key hashes are never returned
  • full API keys are never returned
  • cursor pagination works correctly
  • revoked keys are handled correctly
  • developer cannot access another developer's keys
  • unauthorized requests are rejected

OpenAPI

Updated the OpenAPI specification to document:

  • the new endpoint
  • response schema
  • pagination parameters
  • authentication requirements

Security

  • No secrets are exposed in responses.
  • Ownership checks enforce tenant isolation.
  • Only authenticated developers may access the endpoint.
  • Repository queries are scoped to the authenticated developer.

Testing

Executed:

npm test -- developerRoutes

Notes

  • Backwards compatible.
  • No existing endpoints modified.
  • Focused implementation with no unrelated refactoring.

@drips-wave

drips-wave Bot commented Jun 28, 2026

Copy link
Copy Markdown

@Deyanju23 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@greatest0fallt1me greatest0fallt1me merged commit 12bf357 into CalloraOrg:main Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add an authenticated GET /api/developers/me/api-keys listing with prefix-only exposure

2 participants

@Deyanju23 @greatest0fallt1me