PR Custody

feat(apollo): scoped API key for custom auth config token fetch

@shamsharoondraftchecks n/achecks…feat/plen-2602-token-extraction-key → master11 files · +234 −12review: @rohanprabhureview: @sohamganatrareview: @sarthakreview: @acsrujanreview: @kaavee315review: @anshugarg15updated 1d ago

GitHub

▸Description · 1 noise

PLEN-2602

Custom auth config token extraction was disabled platform-wide (LD redaction flag). Customers need a sanctioned path to extract tokens for their own OAuth apps — this adds it via a scoped API key capability, replacing the manual LaunchDarkly flow.

Changes

project_api_key_permissions/schema.ts + catalog.ts — new capability-only preset custom_auth_token_extraction (read-only, no routes of its own; route access still requires connected_accounts read)
securityUtils.ts — tokenExtractionAuthorized masking option: raw passthrough for custom auth configs, overriding project masking + platform redaction. Composio-managed stays REDACTED unconditionally
connected_accounts/[nanoId]/index.ts — GET-by-id computes authorization from authMethod.apiKeyMetadata (SCOPED permissioned keys only — DEVELOPER/default keys and cookie auth can never unmask) and emits a structured audit log (audit: custom_auth_token_extraction) on every unmasked fetch. List endpoint stays masked
apiKeys/schema.ts — isCustomAuthTokenExtractionScopedProjectAPIKeyMetadata helper
internal-dashboard/api-keys/create.ts + launchDarkly.ts — minting a key with this permission is gated per-org by customAuthTokenExtractionKeyCreationEnabled (default off, fails closed on LD outage); 403 otherwise. Captcha friction already exists on this endpoint

Dashboard UX (mask-toggle removal, warning/consent flow) lands separately in the dashboard repo.

Testing

Unit tests: masking decision matrix (authorized custom → raw, authorized managed → redacted, unauthorized → masked), metadata helper across key kinds
pnpm check-types, pnpm lint (0 errors), oxfmt --check, OpenAPI spec generation all clean; apiKeys + connected_accounts utils suites pass (319 tests)

🤖 Generated with Claude Code

▸ 1 bot/status comment hidden

@linear-code[bot]2d ago

Context

We have already disabled custom auth config's token extraction. Customers need a way to do it themselves — it's their own app, they want to extract those tokens.

Today it's happening via LaunchDarkly flow. We want to give them a path via scoped API key — any scoped key with this permission can extract tokens at their own risk.

UX should be high friction, explicit consent with warning — captcha + scope confirmation. We don't want this to be easy.

Direction

Add a scoped API key preset that allows custom auth config token extraction
Default project API keys cannot fetch these tokens
Dashboard removes the existing mask/secret toggles in project settings; replaced by the scoped-key creation flow with explicit friction + warning
LD flag stays on the create flow (off by default per org)
Every fetch with this scoped key emits an audit event

Comms

post-comms only: changelog + dashboard banner when the new path ships (the disabling itself was already done)

loading diff…