fix(settings): show plaintext on org token regenerate

@zen-agentchecks n/achecks…zen/fix-org-token-reveal-2djpxi → main2 files · +155 −76updated 1mo ago

▸Description · 1 noise

Description

The org access token settings page never displayed the full plaintext token. After SEC-336 (hermes#9548), GET /api/v3/org/api_key returns only a server-side mask (oak...xyz) — but AccessTokenSection piped that masked value through an Eye/Copy toggle that visually implied a reveal. Both states of the toggle were masked: oak...xyz (server) and oak_***************xyz (UI re-mask of the already-masked string). The full key returned by POST /api/v3.1/org/api_key/regenerate was discarded — onSuccess only invalidated the GET cache instead of capturing the response.

Customer impact (T-10555 / Maciej Lis, codeyourbrand): generated a key, never had a chance to copy it, regenerated 4 times in 22 minutes trying to reveal it, then filed a ticket. Same trap is hit by every admin who regenerates after the SEC-336 rollout.

What changed

Capture the plaintext from the regenerate mutation. onSuccess(data) now stores data.org_api_key in a freshToken state.
One-time reveal panel. When freshToken is set, render a warning Alert ("Save this access token now — the full token is shown only once") with the plaintext, an Eye/EyeOff toggle that actually toggles between the plaintext and a UI-side obscured form for screen-share safety, a Copy button (now wired to the plaintext), and a Done button to dismiss.
Persistent masked panel is copy-less. When only the GET-masked value is available, drop the misleading reveal/copy buttons and show explanatory text: "Composio only stores a hash of your token. The full value is shown once at creation — to retrieve a usable token, regenerate to issue a new one."
First-time generate works the same way — the "Generate" button on the empty state hits the same regenerate mutation and lands directly in the one-time reveal panel.
New analytics: OrgSettingsAccessTokenCopyEvent, OrgSettingsAccessTokenDoneEvent.

How did I test this PR

End-to-end with chrome-devtools MCP against http://localhost:3000 after generating Prisma + restarting the dashboard dev server (logged in as the agent test user, /login_workspace/~/settings).

Drove every state and captured screenshots:

Empty state → "No access token generated yet" + Generate button.
Click Generate → warning Alert appears with full plaintext oak_BqTIZ1ScG7yZ6_oJLPWz, toast "Access token generated".
Click Hide → token shown as oak_****************LPWz; eye toggles back to Show.
Click Copy → checkmark + toast "Access token copied to clipboard". Verified via DOM that navigator.clipboard.writeText is called with the plaintext.
Click Done → Alert dismissed; persistent panel shows server-side mask oak...LPWz, helper hint, no Copy/Eye buttons.
Click Regenerate → confirm → AlertDialog with new copy ("The new token is shown only once."); confirming returns directly to the one-time reveal panel with a brand-new plaintext (oak_idD-qM1WVKJkeq5up7NT), proving regenerate also surfaces the full key.

Visual demo (slideshow of the seven states): https://pub-b70cb36a6853407fa468c5d6dec16633.r2.dev/260902/generic/file_upload/request/91f3f053b796b0e82a5701dc0e8560c6

Static checks:

pnpm typecheck — clean (also re-ran openapi:generate).
pnpm lint — no new warnings/errors on the touched files (5 pre-existing errors live in unrelated files: clear-cli-key-cookie.tsx and route.ts).
pnpm exec prettier --write on both touched files.

🤖 Generated with Claude Code

▸ 1 bot/status comment hidden

@vercel[bot]1mo ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashboard	Ready	Preview, Comment	May 1, 2026 5:54pm

loading diff…