backend
frontend
database
auth
Owner-aware API keys and route-driven OpenAPI docs
- Owner-scoped API keys with dashboard UI — Added full API key lifecycle with owner context (Personal or Organization), project scoping (All projects or Selected projects), one-time plaintext reveal in the dashboard, Vault-backed secret storage, and usage tracking (usage_count, last_used_at).
- Route-driven OpenAPI generation and docs quality gate — Generated a Mintlify-friendly OpenAPI 3.1 spec from @openapi JSDoc on route files, added bearer/apiKey security schemes, and added a docs quality gate (pnpm openapi:check) to catch spec drift.
New Features
- Added owner-aware API key CRUD and dashboard UI (create, show plaintext once, list, update, revoke, soft-delete) with Personal and Organization owner contexts.frontend
- Added project scoping for API keys (all_projects or selected_projects) and server-side enforcement so project-bound endpoints check key scope.backend
- Added Vault-backed secret linkage for API key plaintext values and stored only the Vault secret ID with collision-proof naming.auth
- Added API key usage tracking (usage_count and last_used_at) with an atomic increment RPC to record usage on every authenticated request.database
API
- Generated OpenAPI 3.1 from route-level @openapi JSDoc, added bearerAuth and apiKeyAuth schemes, and included operation metadata for the public /v1 surface.backend
- Added new /v1/api-keys endpoints for owner-scoped CRUD and scope management and updated v1 routes to accept API key auth with owner-aware authorization.backend
Documentation
- Moved and expanded authentication docs into an Authentication & API Keys page, updated quickstart and API reference to reflect generated OpenAPI and auth guidance.
- Added CLI/CI commands to regenerate (pnpm generate:openapi) and validate (pnpm openapi:check) the OpenAPI spec to prevent docs drift.
Bug Fixes
- Fixed Vault secret name collisions by appending a timestamp + UUID when creating secrets to prevent duplicate-name failures.devops
- Hardened dev/runtime ordering (turbo dev now depends on ^build) to avoid stale artifacts and missing Inngest function registrations after restarts.devops
- Improved routing and auth handling (added 404 handler and broader header parsing) to make API responses more robust for missing or alternative auth headers.backend
Security
- Stored raw API key secrets only in Vault and returned plaintext only once at creation; subsequent views show metadata and prefix only.auth