Skip to content

Conversation

fmhall
Copy link
Contributor

@fmhall fmhall commented Sep 30, 2025

Allow clients to create API keys on behalf of users. Designed for CLI apps, desktop apps, or apps that need to kick off long running jobs on the users behalf.

  • Show warning to users when this scope is requested
  • Handle scope in token issuance
  • Determine if a fresh API key should be created each time, if they should be reused, or if old ones should be archived when a new one with the same name ("Oauth generated API key") is created

It's also interesting to note that we aren't doing any validation/handling of scopes at the moment beyond ensuring they are a string.

Longer term

We want to enable CLI apps, desktop apps, etc. to allow users to authenticate and create API keys, without having to run a callback server.

Codex and Claude both spin up a callback server, since that works with no changes to a architecture like the one in this PR.

We could use the Device Code flow (RFC-8628), but that still requires the user to input a device code.

See initial questions in this tweet

@railway-app
Copy link

railway-app bot commented Sep 30, 2025

🚅 Deployed to the echo-pr-500 environment in echo

Service Status Web Updated (UTC)
echo ✅ Success (View Logs) Web Oct 22, 2025 at 6:12 pm

@vercel
Copy link
Contributor

vercel bot commented Sep 30, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
assistant-ui-template Ready Ready Preview Comment Oct 22, 2025 6:08pm
component-registry Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-control Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-next-boilerplate Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-next-image Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-next-sdk-example Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-video-template Ready Ready Preview Comment Oct 22, 2025 6:08pm
echo-vite-sdk-example Ready Ready Preview Comment Oct 22, 2025 6:08pm
next-chat-template Ready Ready Preview Comment Oct 22, 2025 6:08pm
react-boilerplate Ready Ready Preview Comment Oct 22, 2025 6:08pm
react-chat Ready Ready Preview Comment Oct 22, 2025 6:08pm
react-image Ready Ready Preview Comment Oct 22, 2025 6:08pm

@rsproule
Copy link
Contributor

rsproule commented Oct 1, 2025

did this a while ago and stashed it for some concerns #327

@rsproule
Copy link
Contributor

i can get on board with this but this is incomplete. We need:

  • show a warning or something inthe AuthZ page like:
    'you are creating a long lived access token, this can be revoked in echo website'
  • need to actually append this scope in that scenario
  • need to be able to tell when an authz was initiated with this "api_key:create" scope. Probably an additional url param
  • sdk / clients need to know how to create this url (ask for this scope)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants