Summary
`apps/admin/src/app/(authenticated)/settings/tokens/` page calls `/api/v1/me/tokens` for list/create/revoke. Returns 404.
Why P1
PATs are table-stakes for any CI integration, GitHub Actions runs, or operators automating with `gonext` CLI against a remote install. WordPress has had application passwords for years; comparable products treat this as a baseline.
The DB table exists (`personal_access_tokens` migration). The Go package likely needs to be built from scratch.
Fix
- Build `apps/api/internal/auth/pat/` — list/create/revoke handlers backed by `personal_access_tokens` table.
- Mount at `/api/v1/me/tokens` (current-user scope) and optionally `/api/v1/admin/users/{id}/tokens` (admin scope).
- Token hashes (argon2id, not stored raw); display the secret ONCE on creation.
Files to touch
- New: `apps/api/internal/auth/pat/`
- `apps/api/cmd/server/main.go` (mount)
Summary
`apps/admin/src/app/(authenticated)/settings/tokens/` page calls `/api/v1/me/tokens` for list/create/revoke. Returns 404.
Why P1
PATs are table-stakes for any CI integration, GitHub Actions runs, or operators automating with `gonext` CLI against a remote install. WordPress has had application passwords for years; comparable products treat this as a baseline.
The DB table exists (`personal_access_tokens` migration). The Go package likely needs to be built from scratch.
Fix
Files to touch