Skip to content

API Keys

API keys are user-owned Better Auth API-key records. They attach to the same Better Auth user as workforce SSO accounts and connector/social OAuth accounts, so product API requests authenticate as that web user.

  • The web app manages keys at Settings -> API Keys.
  • The raw key is shown only once when it is created.
  • Stored key material is Better Auth-managed and hashed.
  • Default expiry is 90 days; max expiry is 365 days.
  • Product API requests use the external x-api-key header.
  • Users can create, disable, enable, and delete their own keys.
  • Rotation is create-new-key, update the caller, then disable or delete the old key.
  • Role-gated key management and per-key permission editing are deferred.

apps/auth installs Better Auth’s API Key plugin through the shared auth package. apps/api uses the same plugin setup in its Mastra Better Auth provider so x-api-key-only product API requests can resolve a Better Auth session through auth.api.getSession.

The first implementation increment uses Better Auth database storage only. Secondary storage such as Redis is deferred until a concrete deployment or performance requirement is accepted.

  • docs/features/authentication/spec.md
  • packages/auth/src/server.ts
  • apps/auth/src/auth.ts
  • apps/api/src/auth/mastraBetterAuth.ts
  • packages/contracts/src/auth/apiKeys.ts
  • apps/web/server/api/settings/api-keys/
  • apps/web/app/components/settings/UserApiKeysWorkspace.vue
  • apps/web/app/pages/settings/api-keys.vue
  • bruno/Leverage AI/collections/web/settings/
  • bruno/Leverage AI/collections/api/chats/list-chats-with-api-key.bru