Skip to content

feat(api): platform API keys for headless webhook management (#376)#579

Draft
ClintEastman02 wants to merge 2 commits into
aws-samples:mainfrom
ClintEastman02:feat/376-platform-api-keys
Draft

feat(api): platform API keys for headless webhook management (#376)#579
ClintEastman02 wants to merge 2 commits into
aws-samples:mainfrom
ClintEastman02:feat/376-platform-api-keys

Conversation

@ClintEastman02

Copy link
Copy Markdown
Contributor

Summary

Closes #376.

Adds platform API keys as a first-class auth mechanism so CI/automation can create and manage webhooks without a Cognito user. Webhook invocation was already Cognito-free (HMAC), but webhook setup still required a Cognito JWT — this closes that gap for headless flows (GitHub Actions, workshops, service-to-service).

What changed

  • Unified authorizer — a REQUEST authorizer on /v1/webhooks* accepts either a Cognito JWT or a webhooks:manage API key. Existing Cognito flows are unchanged.
  • New /v1/api-keys endpoints (Cognito-gated) to mint / list / revoke keys.
  • Key formatbgak_<key_id>_<secret>. Only the secret hash is stored in DynamoDB (ApiKeyTable); lookup is a direct GetItem by key_id, so revocation has no GSI staleness window.
  • CLIbgagent api-key create|list|revoke, plus --api-key flag / BGAGENT_API_KEY env injection so headless callers skip bgagent login.
  • Docs — IDENTITY_AND_AUTH.md and SECURITY.md updated (+ synced Starlight mirrors).

Scope

Phase 1 only (webhook management via keys). Broader tasks:read/tasks:cancel scoping and replacing Cognito for interactive CLI are explicitly out of scope for v1, per the issue.

Testing

  • mise //cdk:test — 2261 pass (incl. new api-key-table, api-key-authorizer, create/list/delete-api-key, shared/api-key, gateway tests)
  • mise //cli:test — 575 pass (incl. api-key command + api-client tests)
  • mise //docs:sync — no drift
  • scripts/check-types-sync.ts — CDK ↔ CLI type sync OK

Notes for reviewers

  • Draft because upstream main has advanced ~40 commits since this branched; two files conflict on rebase and need resolution before this is review-ready:
    • cdk/package.json (dependency block)
    • cli/src/format.ts
    • Everything else auto-merges cleanly.
  • Governance: API: Allow webhook management with platform API keys (skip Cognito for automation) #376 does not yet carry the approved label and has no "Starting implementation" comment (ADR-003). Flagging so an admin can confirm approval before this leaves draft.

🤖 Generated with Claude Code

bgagent added 2 commits July 10, 2026 12:13
…ples#376)

Add long-lived, scoped platform API keys so CI/automation can manage
webhooks without a Cognito user. A unified REQUEST authorizer accepts
either a Cognito JWT or a `webhooks:manage` API key on /v1/webhooks*;
new Cognito-gated /v1/api-keys endpoints mint/list/revoke keys. Keys are
`bgak_<key_id>_<secret>` with only the secret hash stored in DynamoDB
(direct GetItem by key_id, no GSI staleness on revoke). CLI gains
`bgagent api-key` commands and `--api-key`/BGAGENT_API_KEY injection.
)

The new ApiKeyTable makes 19 DynamoDB tables in the agent stack.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

API: Allow webhook management with platform API keys (skip Cognito for automation)

1 participant