Skip to content

feat: enhance API key management#63

Merged
chenyme merged 1 commit into
devfrom
management
May 27, 2026
Merged

feat: enhance API key management#63
chenyme merged 1 commit into
devfrom
management

Conversation

@chenyme

@chenyme chenyme commented May 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Add safer upstream API Key management for multi-key rotation. The admin upstream edit flow now shows masked existing keys, supports marking individual keys for deletion, and treats the edit textarea as “add new keys” instead of replacing the whole key set. Replacing one key can be done by deleting the old masked key and adding a new key in the same save.

The backend now supports deleteAPIKeyIDs and addAPIKeys, keeps the existing full apiKeys replacement contract for compatibility, validates that at least one active key remains, and exposes masked key metadata without returning plaintext secrets.

Change type

  • Bug fix
  • Feature
  • Documentation
  • Refactor
  • Configuration / deployment
  • Security hardening
  • Other

Affected areas

  • Frontend / UI
  • Backend / API
  • Authentication / authorization
  • Conversations / streaming
  • Files / RAG / extraction
  • Model routing / providers
  • MCP / tools
  • Billing / payments
  • Admin console
  • Deployment / Docker / configuration
  • Documentation

Verification

  • cd backend && make swagger
  • cd backend && go test ./...
  • cd frontend && pnpm lint
  • cd frontend && pnpm build
  • git diff --check

Screenshots, API examples, or logs

N/A.

Configuration, migration, and compatibility notes

Configuration changes: None.

API changes: UpdateUpstreamRequest now supports addAPIKeys and deleteAPIKeyIDs. Existing apiKeys replacement behavior is preserved for backward compatibility.

Database migrations: None.

Deployment changes: None.

Backward compatibility: Existing upstream configs remain valid. Plaintext API keys are still never returned to the frontend.

Documentation

  • Documentation is not needed for this change.
  • Documentation was updated.
  • Documentation still needs to be updated.

Swagger was regenerated.

Security and privacy

  • No secrets, tokens, credentials, local config, or personal data are included.
  • User data access remains scoped by authenticated user context unless an admin-only path explicitly requires broader access.
  • Security-sensitive behavior was reviewed, including authentication, authorization, provider routing, file processing, billing, and admin APIs where relevant.

Masked API Key item IDs are derived with scoped HMAC identifiers and do not expose plaintext keys.

Checklist

  • I searched existing issues and pull requests.
  • Changes are focused and do not include unrelated refactors.
  • Tests or static verification were run where practical.
  • User-facing behavior, deployment steps, API contracts, or configuration changes are documented.
  • Generated artifacts are included only when this project explicitly requires them.
  • Caches, build output, .pyc files, .env files, and local storage data are not committed.

@chenyme chenyme linked an issue May 27, 2026 that may be closed by this pull request
3 tasks
@chenyme
chenyme merged commit 4494432 into dev May 27, 2026
2 checks passed
@chenyme
chenyme deleted the management branch May 27, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: 支持删除上游中过期或失效的 API Key

1 participant