Task Breakdown: API Keys
Feature ID: api-keys
Status: Done (Retrospective)
Last updated: 2026-05-01
Phase 1 — Schema & contracts
- T1.
ApiKeyentity atpackages/agent/src/entities/api-key.entity.ts. - T2. Migration adding
api_keystable with uniquehashindex. - T3. DTOs (
CreateApiKeyDto,ApiKeyResponseDto,ApiKeyListResponseDto) inpackages/contracts/.
Phase 2 — Service & guard
- T4.
ApiKeyService.create / list / revoke / authenticate. - T5.
ApiKeyOrJwtGuardthat tries API-key auth first, falls through to JWT. - T6. Per-user cap enforcement (10 keys).
- T7. Expiry validation on create + on auth.
Phase 3 — Controller
- T8.
ApiKeyControlleratapps/api/src/auth/api-keys/api-keys.controller.ts. - T9. Swagger decorators for all three endpoints.
- T10. e2e tests in
apps/api/test/.
Phase 4 — Web UI
- T11. Settings → API Keys page (
apps/web/src/app/[locale]/settings/api-keys/). - T12. Create modal with one-time key reveal + copy button.
- T13. Revoke confirmation modal.
Phase 5 — Maintenance
- T14. Daily cron task to purge expired keys.
Phase 6 — Docs
- T15. User-facing doc
docs/features/api-keys.md. - T16. Cross-link from MCP server doc and authentication API ref.
- T17. Retrospective spec/plan/tasks.
Definition of Done
- All tasks shipped, tests pass, docs present, constitution gates verified.