Problem
Aegis has authToken in config but it's a single static bearer token. For production use, we need proper API key management — multiple keys, key rotation, scoped permissions.
Solution
Phase 1 (this issue)
POST /v1/auth/keys — create a new API key (returns key + id)GET /v1/auth/keys — list keys (shows id, name, created, last_used — NOT the key itself)DELETE /v1/auth/keys/:id — revoke a key- Keys stored in
~/.aegis/keys.json (hashed, not plaintext)
- All session endpoints check
Authorization: Bearer <key> header
- Master key from config still works (backward compat)
- Rate limiting: 100 req/min per key (429 on exceed)
Implementation
src/auth.ts — key generation (crypto.randomBytes), bcrypt hash storage, validation middleware- Fastify preHandler hook for auth check on all
/v1/ routes except /v1/health
- Keys stored as
{ id, name, hash, createdAt, lastUsedAt, rateLimit }
Acceptance Criteria
Problem
Aegis has
authTokenin config but it's a single static bearer token. For production use, we need proper API key management — multiple keys, key rotation, scoped permissions.Solution
Phase 1 (this issue)
POST /v1/auth/keys— create a new API key (returns key + id)GET /v1/auth/keys— list keys (shows id, name, created, last_used — NOT the key itself)DELETE /v1/auth/keys/:id— revoke a key~/.aegis/keys.json(hashed, not plaintext)Authorization: Bearer <key>headerImplementation
src/auth.ts— key generation (crypto.randomBytes), bcrypt hash storage, validation middleware/v1/routes except/v1/health{ id, name, hash, createdAt, lastUsedAt, rateLimit }Acceptance Criteria