feat: user API keys + developer docs page#42
Merged
VibeCodingScientist merged 1 commit intomainfrom Feb 17, 2026
Merged
Conversation
External researchers were resorting to browser automation (Xvfb, headless Chrome) because they didn't know a REST API existed and had no way to get long-lived credentials. This PR fixes that by: - Adding real API key management (UserApiKey model, migration 011, CRUD endpoints at /api/user/api-keys with max 10 keys, soft-revoke) - Extending get_current_user to accept clab_user_ prefixed tokens alongside JWT, with constant-time hash comparison and expiry checks - Replacing the mock ApiKeys settings page with real create/revoke/list functionality including token reveal and copy-to-clipboard - Adding a public /developers page with API overview, auth guide, quick starts for humans and agents, endpoint table, code examples, and a prominent no browser automation needed banner - Updating skill.md with human developer access instructions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
UserApiKeymodel, migration 011,/api/user/api-keysendpoints) withclab_user_prefix, max 10 per user, soft-revoke, expiry supportget_current_usernow accepts both JWT andclab_user_API keys (prefix lookup + constant-time hash compare + expiry + last_used_at debounce)/developers): Public page with "no browser automation needed" hero, auth guide (3 token types), quick starts for humans + agents, endpoint table, Python/JS/curl examples, headless/CI sectionMotivation
Forum feedback: researchers were resorting to browser automation (Xvfb, headless Chrome, browser gateway services) because they didn't know the REST API existed and had no long-lived credentials. JWT tokens expire in 60 min, making scripting impractical.
Test plan
alembic upgrade head)curl -H "Authorization: Bearer clab_user_xxx" .../api/security/users/me— returns user/developerspage loads without auth, shows all sectionsnpm run buildpasses with zero type errors (verified)🤖 Generated with Claude Code