Skip to content

feat: implement composite API key scopes for workspaces and templates #19945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 29, 2025
Merged

feat: implement composite API key scopes for workspaces and templates #19945

merged 1 commit into from
Sep 29, 2025

Conversation

@ThomasK33
Copy link
Member

@ThomasK33 ThomasK33 commented Sep 24, 2025

Add Composite API Key Scopes

This PR adds high-level composite API key scopes to simplify token creation with common permission sets:

  • coder:workspaces.create - Create and update workspaces
  • coder:workspaces.operate - Read and update workspaces
  • coder:workspaces.delete - Read and delete workspaces
  • coder:workspaces.access - Read, SSH, and connect to workspace applications
  • coder:templates.build - Read templates and create/read files
  • coder:templates.author - Full template management with insights
  • coder:apikeys.manage_self - Manage your own API keys

These composite scopes are persisted in the database and expanded during authorization, providing a more intuitive way to grant permissions compared to the granular resource:action scopes.

This was referenced Sep 24, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Sep 24, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 linked an issue Sep 24, 2025 that may be closed by this pull request
High-level (composite) scope sets (coder:...) #19849
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 3 times, most recently from 7b3177b to 5ff29e3 Compare September 24, 2025 16:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch from c86d555 to b630882 Compare September 24, 2025 16:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from 5ff29e3 to ed07df0 Compare September 24, 2025 16:27
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch 2 times, most recently from 143c808 to 93a509e Compare September 24, 2025 16:42
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from 6294b46 to 0e26021 Compare September 24, 2025 16:43
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch from 93a509e to 8707c00 Compare September 24, 2025 16:44
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from 8a2321b to 61218b2 Compare September 24, 2025 20:50
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch 2 times, most recently from 2b7e3a9 to 20c22fe Compare September 25, 2025 15:46
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from e49ab65 to 01e4d20 Compare September 25, 2025 15:46
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch from 20c22fe to 22123c0 Compare September 25, 2025 15:46
@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from 01e4d20 to 84dc70d Compare September 25, 2025 15:56
@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch from 94ad114 to 716c772 Compare September 26, 2025 07:45
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from c84abde to ba36a7d Compare September 26, 2025 07:45
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_oauth2_external_scope_metadata branch from 716c772 to 8f4b99b Compare September 26, 2025 08:25
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from ba36a7d to a2f4a0a Compare September 26, 2025 08:25
johnstcn
johnstcn reviewed Sep 26, 2025
View reviewed changes
@ThomasK33 ThomasK33 changed the base branch from thomask33/09-24-add_oauth2_external_scope_metadata to graphite-base/19945 September 26, 2025 09:57
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from a2f4a0a to c3e13cb Compare September 26, 2025 10:16
@graphite-app graphite-app bot changed the base branch from graphite-base/19945 to main September 26, 2025 10:16
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from fe855d8 to 4552f9e Compare September 26, 2025 10:20
@ThomasK33 ThomasK33 requested a review from johnstcn September 26, 2025 10:22
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from 4552f9e to aa26434 Compare September 26, 2025 12:24
@ThomasK33 ThomasK33 mentioned this pull request Sep 26, 2025
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from aa26434 to e830bcb Compare September 26, 2025 14:00
@ThomasK33 ThomasK33 mentioned this pull request Sep 26, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from 07a8634 to ec4f541 Compare September 26, 2025 18:05
@ThomasK33 ThomasK33 mentioned this pull request Sep 26, 2025
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from ec4f541 to ab38e97 Compare September 28, 2025 10:53
@ThomasK33 ThomasK33 changed the title feat: add composite API key scopes for workspaces and templates feat: implement composite API key scopes for workspaces and templates Sep 28, 2025
@ThomasK33 ThomasK33 mentioned this pull request Sep 28, 2025
Closed
johnstcn
johnstcn approved these changes Sep 29, 2025
View reviewed changes
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from ab38e97 to 8210ef2 Compare September 29, 2025 08:25
@ThomasK33
feat: add composite coder:* API key scopes for better UX
ff05d77 
Add high-level composite scopes that expand to multiple low-level
permissions:
- coder:workspaces.create - Template read/use + workspace CRUD
- coder:workspaces.operate - Workspace read/update
- coder:workspaces.delete - Workspace read/delete
- coder:workspaces.access - Workspace read/SSH/app connect
- coder:templates.build - Template read + file ops + provisioner jobs
- coder:templates.author - Full template management + insights
- coder:apikeys.manage_self - Self API key management

These composite scopes provide intuitive high-level permissions while
maintaining granular control through existing low-level scopes.
Database enum values are persisted to enable storing composite names
directly in tokens.
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from 8210ef2 to ff05d77 Compare September 29, 2025 09:46
@ThomasK33 ThomasK33 merged commit 79126ab into main Sep 29, 2025
32 checks passed
@ThomasK33 ThomasK33 deleted the thomask33/09-24-add_composite_api_key_scopes branch September 29, 2025 11:17
@github-actions github-actions bot locked and limited conversation to collaborators Sep 29, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Awaiting requested review from Emyrk Emyrk is a code owner

Assignees

@ThomasK33 ThomasK33

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

High-level (composite) scope sets (coder:...)

3 participants

@ThomasK33 @johnstcn