API Keys
API keys are user-owned Better Auth API-key records. They attach to the same Better Auth user as workforce SSO accounts and connector/social OAuth accounts, so product API requests authenticate as that web user.
Current Behavior
Section titled “Current Behavior”- The web app manages keys at
Settings->API Keys. - The raw key is shown only once when it is created.
- Stored key material is Better Auth-managed and hashed.
- Default expiry is 90 days; max expiry is 365 days.
- Product API requests use the external
x-api-keyheader. - Users can create, disable, enable, and delete their own keys.
- Rotation is create-new-key, update the caller, then disable or delete the old key.
- Role-gated key management and per-key permission editing are deferred.
Runtime Shape
Section titled “Runtime Shape”apps/auth installs Better Auth’s API Key plugin through the shared auth package. apps/api uses the same plugin setup in its Mastra Better Auth provider so x-api-key-only product API requests can resolve a Better Auth session through auth.api.getSession.
The first implementation increment uses Better Auth database storage only. Secondary storage such as Redis is deferred until a concrete deployment or performance requirement is accepted.
Canonical Sources
Section titled “Canonical Sources”docs/features/authentication/spec.mdpackages/auth/src/server.tsapps/auth/src/auth.tsapps/api/src/auth/mastraBetterAuth.tspackages/contracts/src/auth/apiKeys.tsapps/web/server/api/settings/api-keys/apps/web/app/components/settings/UserApiKeysWorkspace.vueapps/web/app/pages/settings/api-keys.vuebruno/Leverage AI/collections/web/settings/bruno/Leverage AI/collections/api/chats/list-chats-with-api-key.bru