Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds first-class JWT “API token” support to API v2 by introducing a persisted JwtApiKey model/table, a new /api/v2/ui/apiTokens endpoint for managing tokens, and changes to permission evaluation to use the JWT scope claim.
Changes:
- Add
JwtApiKeyDBA model/factory and register it with the API factory/router. - Add MySQL/Postgres migrations for the
JwtApiKeytable and utilities/endpoints for creating/deleting tokens. - Update API v2 permission handling (
validatePermissions) andaggregateDatato be instance-based.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| src/migrations/postgres/20260309164000_api-key.sql | Adds Postgres table for persisted JWT API keys. |
| src/migrations/mysql/20260309164000_api-key.sql | Adds MySQL table for persisted JWT API keys. |
| src/inc/utils/UserUtils.php | Revokes a user’s API keys during user deletion. |
| src/inc/utils/JwtTokenUtils.php | Utility for creating/deleting persisted API keys. |
| src/inc/apiv2/model/ApiTokenAPI.php | New API v2 model for managing API tokens and returning the encoded JWT on creation. |
| src/inc/apiv2/common/AbstractBaseAPI.php | Switches permission validation to use JWT scope attribute; makes aggregateData non-static; extends json2db for array(string). |
| src/inc/apiv2/auth/token.routes.php | Adjusts JWT issuance to pull scopes from the user’s right group. |
| src/inc/apiv2/model/TaskAPI.php | Updates aggregateData signature to instance method. |
| src/inc/apiv2/model/PreTaskAPI.php | Updates aggregateData signature to instance method. |
| src/inc/apiv2/model/AgentAPI.php | Updates aggregateData signature to instance method. |
| src/dba/models/generator.php | Registers JwtApiKey for model generation metadata. |
| src/dba/models/JwtApiKey.php | Adds new DBA model representing persisted JWT API keys. |
| src/dba/models/JwtApiKeyFactory.php | Adds factory for JwtApiKey. |
| src/dba/Factory.php | Registers JwtApiKeyFactory accessor. |
| src/api/v2/index.php | Registers ApiTokenAPI routes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
added 10 commits
March 11, 2026 13:49
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 16 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
s3inlc
requested changes
Mar 12, 2026
s3inlc
requested changes
Mar 12, 2026
s3inlc
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.