[GH-ISSUE #8010] Revive API token support (per-file API keys) — PR #6350 #117641

Closed
opened 2026-06-11 13:04:33 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @wksantiago on GitHub (May 31, 2026).
Original GitHub issue: https://github.com/actualbudget/actual/issues/8010

Summary

Add user-generated API tokens so external clients can connect to the Actual
API with read/write access, scoped per budget file.

PR #6350 already implemented this but was auto-closed after going stale
(CI failures + merge conflict, no follow-up). This issue tracks reviving it.

What #6350 already did

  • Create, list, revoke/disable, and update API tokens from Settings
  • Tokens scoped to specific budget files (api_token_budgets table)
  • Token-based auth as an alternative to the global server password
  • Tokens stored hashed (bcrypt), only a prefix kept for lookup
  • Auth middleware + budget-scope enforcement
  • DB migration adding api_tokens and api_token_budgets tables
  • Unit tests for token service, middleware, and validation

To revive

  • Rebase on master and resolve the merge conflict
  • Fix the failing CI / VRT checks
  • Address remaining review feedback from the original PR

Acceptance criteria (gaps beyond a rebase)

  • Read/write scopes per token (read-only vs read+write), not just per-file
  • Per-operation permissions where it makes sense
  • Least-privilege defaults (empty scope should not mean access to all budgets)
  • Rate limiting on token validation and API requests
  • HTTPS enforcement (or documented requirement when exposed publicly)
  • Audit logging of API actions per token (not just last-used timestamp)
  • Input validation/sanitization on token name and budget IDs
  • OpenAPI/Swagger spec (current PR only adds prose docs)
  • Tests covering the above (scopes, rate limiting, e2e)

Why

Lets home automation, scripts, and other tools connect over the network with
a revocable, least-privilege key instead of sharing the server password, with
access limited per file.

Refs: #6350, #1384, #2054

Originally created by @wksantiago on GitHub (May 31, 2026). Original GitHub issue: https://github.com/actualbudget/actual/issues/8010 ### Summary Add user-generated API tokens so external clients can connect to the Actual API with read/write access, scoped per budget file. PR #6350 already implemented this but was auto-closed after going stale (CI failures + merge conflict, no follow-up). This issue tracks reviving it. ### What #6350 already did - Create, list, revoke/disable, and update API tokens from Settings - Tokens scoped to specific budget files (`api_token_budgets` table) - Token-based auth as an alternative to the global server password - Tokens stored hashed (bcrypt), only a prefix kept for lookup - Auth middleware + budget-scope enforcement - DB migration adding `api_tokens` and `api_token_budgets` tables - Unit tests for token service, middleware, and validation ### To revive - Rebase on master and resolve the merge conflict - Fix the failing CI / VRT checks - Address remaining review feedback from the original PR ### Acceptance criteria (gaps beyond a rebase) - [ ] Read/write scopes per token (read-only vs read+write), not just per-file - [ ] Per-operation permissions where it makes sense - [ ] Least-privilege defaults (empty scope should not mean access to all budgets) - [ ] Rate limiting on token validation and API requests - [ ] HTTPS enforcement (or documented requirement when exposed publicly) - [ ] Audit logging of API actions per token (not just last-used timestamp) - [ ] Input validation/sanitization on token name and budget IDs - [ ] OpenAPI/Swagger spec (current PR only adds prose docs) - [ ] Tests covering the above (scopes, rate limiting, e2e) ### Why Lets home automation, scripts, and other tools connect over the network with a revocable, least-privilege key instead of sharing the server password, with access limited per file. Refs: #6350, #1384, #2054
GiteaMirror added the featureneeds votes labels 2026-06-11 13:04:34 -05:00
Author
Owner

@coderabbitai[bot] commented on GitHub (May 31, 2026):

🔗 Related PRs

actualbudget/actual#7862 - [AI] Restrict secrets API access to admins in OpenID mode [merged]
actualbudget/actual#7940 - [AI] Reject disabled-user sessions in sync-server [merged]


📝 Issue Planner

Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.

  • Create Plan

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

<!-- gh-comment-id:4587895937 --> @coderabbitai[bot] commented on GitHub (May 31, 2026): <!-- This is an auto-generated issue plan by CodeRabbit --> <details> <summary>🔗 Related PRs</summary> actualbudget/actual#7862 - [AI] Restrict secrets API access to admins in OpenID mode [merged] actualbudget/actual#7940 - [AI] Reject disabled-user sessions in sync-server [merged] </details> --- <details> <summary>📝 Issue Planner</summary> <sub>Check the box below or use the `@coderabbitai plan` command to generate an implementation plan and prompts that you can use with your favorite coding assistant.</sub> - [ ] <!-- {"checkboxId": "8d4f2b9c-3e1a-4f7c-a9b2-d5e8f1c4a7b9"} --> Create Plan </details> --- <details> <summary> 🧪 Issue enrichment is currently in open beta.</summary> You can configure auto-planning by selecting labels in the issue_enrichment configuration. To disable automatic issue enrichment, add the following to your `.coderabbit.yaml`: ```yaml issue_enrichment: auto_enrich: enabled: false ``` </details> 💬 Have feedback or questions? Drop into our [discord](https://discord.gg/coderabbit)!
Author
Owner

@wksantiago commented on GitHub (May 31, 2026):

Original implementation by @BCNelson in #6350 — would be great to revive it.

<!-- gh-comment-id:4587899200 --> @wksantiago commented on GitHub (May 31, 2026): Original implementation by @BCNelson in #6350 — would be great to revive it.
Author
Owner

@MatissJanis commented on GitHub (May 31, 2026):

Feel free to revive it. I'll be happy to review it.

<!-- gh-comment-id:4587914910 --> @MatissJanis commented on GitHub (May 31, 2026): Feel free to revive it. I'll be happy to review it.
Author
Owner

@github-actions[bot] commented on GitHub (May 31, 2026):

Thanks for sharing your idea!

This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution).

The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+

Don't forget to upvote the top comment with 👍!

<!-- gh-comment-id:4587915583 --> @github-actions[bot] commented on GitHub (May 31, 2026): :sparkles: Thanks for sharing your idea! :sparkles: This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution). The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+ Don't forget to upvote the top comment with 👍! <!-- feature-auto-close-comment -->
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#117641