[FR] API Keys Management and Security Controls

[chussenot-believe]

API Keys Management and Security Controls

Description

We appreciate using SourceBot EE for its integration with LLMs and advanced code search capabilities. However, we have significant security concerns around API key management that increase the risk of unauthorized data access, exfiltration, and could lead to supply chain compromission.

Note: SourceBot already provides audit logs (see docs), but we request enhanced coverage for API key management and alerting hooks.

• Docs: https://docs.sourcebot.dev/docs/configuration/audit-logs#audit-action-types

Context and Security Concerns

Current API key management in SourceBot presents several critical security issues:

• API key misuse – a leaked SOURCEBOT_API_KEY grants full access to all MCP tools, without granular restrictions.
• Visibility of API keys – admins cannot view or centrally monitor all keys created by users, making leaks and misuse harder to detect.
• No expiration or rotation – API keys persist indefinitely, increasing the blast radius of any compromise.
• Lack of granular permissions – all API keys have the same level of access regardless of user role or need.
• No approval workflows – sensitive permissions can be granted without oversight.

These concerns mean that controlling API key creation and usage is critical to prevent unintentional data exposure and maintain least privilege.

Requested Features

We request the following features to improve API key management and security:

1. Admin Dashboard for API Keys

• View all API keys with metadata (owner, creation date, last usage, permissions).
• Ability to revoke keys centrally.
• Expiration & rotation: support for short-lived keys with automatic rotation.
• Real-time monitoring of key usage patterns.

2. RBAC Control on API Key Creation

• Restrict key generation by role.
• Add approval workflows for sensitive permissions.
• Require justification for high-privilege key creation.

3. Granular Admin Rules & Scopes

• Define which roles/people can create keys.
• Restrict keys to specific MCP tools (e.g., allow list_repos but not get_file_source).
• Enforce repository and file-level access policies.
• Time-based access controls (e.g., keys only valid during business hours).

4. Enhanced Auditability & Alerting

• Extend existing audit logs with detailed API key usage events.
• Provide alerting hooks for suspicious activity (e.g., unusual usage patterns, bulk operations).
• Integration with SIEM systems for centralized monitoring.

5. Key Lifecycle Management

• Automatic key rotation based on organizational policies.
• Key expiration notifications and renewal workflows.
• Emergency key revocation capabilities.
• Key usage analytics and reporting.

Security Benefits

Implementing these features would provide:

• Reduced attack surface through granular permissions and time-limited access
• Better incident response with centralized key management and monitoring
• Compliance support for organizations requiring strict access controls
• Risk reduction through approval workflows and usage monitoring
• Operational efficiency with automated rotation and lifecycle management

Conclusion

Robust API key management is essential for secure SourceBot deployment in enterprise environments. The current all-or-nothing approach creates unnecessary risk and makes it difficult to maintain least privilege principles. We request these features to enable secure, auditable, and manageable API key usage across the platform.

---

[msukkari]

Shipped #577 which is a stop gap to prevent API key restriction. We definitely need a more robust ACL for this though, will add it to our roadmap