@acsrujanchecks…hotfix/hide-internal-service-api-keys → production7 files · +179 −2review: @abir-taheerreview: @lingalarahul7review: @anshugarg15updated 2w agoCustomers were seeing composio-service-key entries appear in their project API key list — keys they never created and can't explain.
Composio creates short-lived project API keys internally when executing tools on a request that didn't authenticate via a project API key (e.g. dashboard cookie session or org API key). These are passed to Thermos as composio_api_key in the authorization payload so Thermos can make authenticated callbacks to Apollo. They are purely an infrastructure detail — not intended for customer visibility or use.
Before commit 86803f06 ("make project api keys non-recoverable", merged to production yesterday), getOrCreateAPIKey would reuse an existing key for the project/member pair. After that commit removed the get-or-reuse logic, a fresh key is created on every tool execution that goes through this path. This caused the keys to accumulate rapidly and become highly visible to customers.
is_internal BOOLEAN NOT NULL DEFAULT FALSE to project_api_keys.createAPIKey: Accepts a new isInternal parameter, stored on the row.getOrCreateAPIKey: Passes isInternal: true — every Composio-internal service key is now flagged at creation.getAllAPIKeysForProject: Adds isInternal: false to the Prisma where clause — internal keys are invisible to all customer-facing list paths (both ADMIN and DEVELOPER roles).deleteAPIKeyForCaller: Returns 404 for internal keys — customers cannot delete what they cannot see.deleteAllApiKeysForProject (project deletion flow) still deletes all keys including internal ones — correct behaviour.isInternal is not checked during authentication.isInternal: false filter is applied at the Prisma query layer, so it works for both ADMIN-role list (all keys) and DEVELOPER-role list (own keys only).deleteAPIKeyForCaller guard verified in code — returns 404 identical to a non-owned key so no information leak.ADD COLUMN IF NOT EXISTS — safe to re-run and idempotent.Note for deployer: Run the v95 migration before deploying the Apollo code change. The column has
DEFAULT FALSEso existing rows and in-flight traffic are unaffected. New internal keys created after the deploy will be markedis_internal=trueand immediately hidden. Previously createdcomposio-service-keyrows (without the flag) will remain visible until a follow-up data backfill if needed — but they will stop accumulating.
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| debby |  Ignored | May 24, 2026 1:59am |
