From f3c2881f9641b1f0810c1b480d4b143da9997aab Mon Sep 17 00:00:00 2001
From: msukkari <michael.sukkarieh@mail.mcgill.ca>
Date: Tue, 28 Oct 2025 15:27:30 -0700
Subject: [PATCH 1/2] add env var to restrict api key creation

---
 packages/web/src/actions.ts | 11 ++++++++++-
 packages/web/src/env.mjs    |  6 ++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/packages/web/src/actions.ts b/packages/web/src/actions.ts
index f7ba284a..6cacac68 100644
--- a/packages/web/src/actions.ts
+++ b/packages/web/src/actions.ts
@@ -393,7 +393,16 @@ export const verifyApiKey = async (apiKeyPayload: ApiKeyPayload): Promise<{ apiK
 
 export const createApiKey = async (name: string, domain: string): Promise<{ key: string } | ServiceError> => sew(() =>
     withAuth((userId) =>
-        withOrgMembership(userId, domain, async ({ org }) => {
+        withOrgMembership(userId, domain, async ({ org, userRole }) => {
+            if (env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS === 'true' && userRole !== OrgRole.OWNER) {
+               logger.error(`API key creation is disabled for non-admin users. User ${userId} is not an owner.`);
+               return {
+                statusCode: StatusCodes.FORBIDDEN,
+                errorCode: ErrorCode.INSUFFICIENT_PERMISSIONS,
+                message: "API key creation is disabled for non-admin users.",
+               } satisfies ServiceError;
+            }
+
             const existingApiKey = await prisma.apiKey.findFirst({
                 where: {
                     createdById: userId,
diff --git a/packages/web/src/env.mjs b/packages/web/src/env.mjs
index 31b3d97d..00b6e736 100644
--- a/packages/web/src/env.mjs
+++ b/packages/web/src/env.mjs
@@ -18,7 +18,7 @@ export const env = createEnv({
         
         // Auth
         FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
-        
+
         AUTH_SECRET: z.string(),
         AUTH_URL: z.string().url(),
         AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
@@ -130,10 +130,12 @@ export const env = createEnv({
 
         SOURCEBOT_DEMO_EXAMPLES_PATH: z.string().optional(),
 
+        // Experimental Environment Variables
+        // @note: These environment variables are subject to change at any time and are not garunteed to be backwards compatible.
+        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_ENABLED: booleanSchema.default('false'),
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
-
         EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
     },
     // @NOTE: Please make sure of the following:

From cb1e96605cb9218391ded20e0020328edeb2e674 Mon Sep 17 00:00:00 2001
From: msukkari <michael.sukkarieh@mail.mcgill.ca>
Date: Tue, 28 Oct 2025 15:30:15 -0700
Subject: [PATCH 2/2] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6358d9b..e336b863 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for passing db connection url as seperate `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` env vars. [#545](https://github.com/sourcebot-dev/sourcebot/pull/545)
 - Added support for GitHub Apps for service auth. [#570](https://github.com/sourcebot-dev/sourcebot/pull/570)
 - Added prometheus metrics for repo index manager. [#571](https://github.com/sourcebot-dev/sourcebot/pull/571)
+- Added experimental environment variable to disable API key creation for non-admin users. [#577](https://github.com/sourcebot-dev/sourcebot/pull/577)
 
 ### Fixed
 - Fixed "dubious ownership" errors when cloning / fetching repos. [#553](https://github.com/sourcebot-dev/sourcebot/pull/553)