Skip to content

Personal access token management: named, scoped, expiring API tokens #97

Description

@taylortom

Users need to authenticate Adapt API requests as themselves (from scripts, CI pipelines, the API console) without embedding a password or reusing a browser session.

The token layer already persists authtokens and authenticates Bearer tokens, and manual tokens can be scope-restricted (resolveTokenScopes). This proposes rounding that into a manageable personal-access-token (PAT) feature:

New

  • A human-readable name on a token so a user can tell their tokens apart.
  • Selectable expiry (a per-token lifespan, including a non-expiring option), with the resolved expiresAt surfaced on the listing.
  • A stored masked hint (the full token value is only returned once at creation) and an adpt_pat_ prefix so tokens are recognisable.
  • A DELETE /tokens/:_id endpoint so a user can revoke a single one of their own tokens (only whole-session disavow exists today).
  • Allow a super user to mint a token, provided they name explicit, non-*:* scopes (a super currently cannot mint one at all).

Fix

The generatetoken/tokens endpoints and the scope-forwarding groundwork (#95) are the foundation this builds on.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Merged

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions