feat(api): platform API keys for headless webhook management (#376)#579
Draft
ClintEastman02 wants to merge 2 commits into
Draft
feat(api): platform API keys for headless webhook management (#376)#579ClintEastman02 wants to merge 2 commits into
ClintEastman02 wants to merge 2 commits into
Conversation
added 2 commits
July 10, 2026 12:13
…ples#376) Add long-lived, scoped platform API keys so CI/automation can manage webhooks without a Cognito user. A unified REQUEST authorizer accepts either a Cognito JWT or a `webhooks:manage` API key on /v1/webhooks*; new Cognito-gated /v1/api-keys endpoints mint/list/revoke keys. Keys are `bgak_<key_id>_<secret>` with only the secret hash stored in DynamoDB (direct GetItem by key_id, no GSI staleness on revoke). CLI gains `bgagent api-key` commands and `--api-key`/BGAGENT_API_KEY injection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #376.
Adds platform API keys as a first-class auth mechanism so CI/automation can create and manage webhooks without a Cognito user. Webhook invocation was already Cognito-free (HMAC), but webhook setup still required a Cognito JWT — this closes that gap for headless flows (GitHub Actions, workshops, service-to-service).
What changed
/v1/webhooks*accepts either a Cognito JWT or awebhooks:manageAPI key. Existing Cognito flows are unchanged./v1/api-keysendpoints (Cognito-gated) to mint / list / revoke keys.bgak_<key_id>_<secret>. Only the secret hash is stored in DynamoDB (ApiKeyTable); lookup is a directGetItembykey_id, so revocation has no GSI staleness window.bgagent api-key create|list|revoke, plus--api-keyflag /BGAGENT_API_KEYenv injection so headless callers skipbgagent login.Scope
Phase 1 only (webhook management via keys). Broader
tasks:read/tasks:cancelscoping and replacing Cognito for interactive CLI are explicitly out of scope for v1, per the issue.Testing
mise //cdk:test— 2261 pass (incl. newapi-key-table,api-key-authorizer,create/list/delete-api-key,shared/api-key,gatewaytests)mise //cli:test— 575 pass (incl.api-keycommand +api-clienttests)mise //docs:sync— no driftscripts/check-types-sync.ts— CDK ↔ CLI type sync OKNotes for reviewers
mainhas advanced ~40 commits since this branched; two files conflict on rebase and need resolution before this is review-ready:cdk/package.json(dependency block)cli/src/format.tsapprovedlabel and has no "Starting implementation" comment (ADR-003). Flagging so an admin can confirm approval before this leaves draft.🤖 Generated with Claude Code