github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #2446] API Key owned by Organization #17829

New Issue
Closed
opened 2026-04-15 16:10:07 -05:00 by GiteaMirror · 19 comments
GiteaMirror commented 2026-04-15 16:10:07 -05:00
Owner
Copy Link

Originally created by @anaclumos on GitHub (Apr 26, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/2446

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

Currently, API Keys are tied to Users.

Describe the solution you'd like

There needs to be a way to create an organization-owned API Keys.

Describe alternatives you've considered

I thought of admins of orgs being able to use API Keys of members, or share API keys owned by a user within Org, but seems like an overcomplication. If the owner could be organization, all members authorized within the org would be able to control it.

Additional context

No response

Originally created by @anaclumos on GitHub (Apr 26, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/2446 ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Currently, API Keys are tied to Users. ### Describe the solution you'd like There needs to be a way to create an organization-owned API Keys. ### Describe alternatives you've considered I thought of admins of orgs being able to use API Keys of members, or share API keys owned by a user within Org, but seems like an overcomplication. If the owner could be organization, all members authorized within the org would be able to control it. ### Additional context _No response_
GiteaMirror added the locked label 2026-04-15 16:10:07 -05:00
GiteaMirror commented 2026-04-15 16:10:09 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jul 26, 2025):

Hi, @anaclumos. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • Proposal to enable API keys to be owned and managed by organizations.
  • Aims to streamline access and control for authorized organization members.
  • Current method of sharing user-owned API keys is too complex for organizations.
  • No comments or developments have been made on this issue yet.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here.
  • If there is no further input, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3122093121 --> @dosubot[bot] commented on GitHub (Jul 26, 2025): Hi, @anaclumos. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. **Issue Summary:** - Proposal to enable API keys to be owned and managed by organizations. - Aims to streamline access and control for authorized organization members. - Current method of sharing user-owned API keys is too complex for organizations. - No comments or developments have been made on this issue yet. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of the better-auth repository by commenting here. - If there is no further input, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-04-15 16:10:10 -05:00
Author
Owner
Copy Link

@FdezRomero commented on GitHub (Jul 26, 2025):

Dosu, this is still an unresolved issue without a good or documented workaround. Please prioritize it in the backlog, thank you.

<!-- gh-comment-id:3122327798 --> @FdezRomero commented on GitHub (Jul 26, 2025): Dosu, this is still an unresolved issue without a good or documented workaround. Please prioritize it in the backlog, thank you.
GiteaMirror commented 2026-04-15 16:10:11 -05:00
Author
Owner
Copy Link

@chrisvxd commented on GitHub (Aug 23, 2025):

Here's a workaround that worked for me using the server APIs.

First, add organizationId to the schema (I'm using Drizzle)

export const apiKey = pgTable("apikey", {
   // ... default schema
  organizationId: text("organization_id").references(() => organizations.id, {
    onDelete: "cascade",
  }),
});

Then, create a custom endpoint which first calls the createApiKey method, and then updates the row with my organization

export async function POST(request: Request) {
  // Create key
  const data = await auth.api.createApiKey({
    body: {
      name: "project-api-key",
      expiresIn: 60 * 60 * 24 * 7,
      userId: "user-id", // server-only
    },
  });

  // Add organization to row
  const [dbKey] = await db
    .update(apiKeys)
    .set({ organizationId: "organization-id" })
    .where(eq(apiKeys.id, data.id))
    .returning();

  // Provide user with key from `createApiKey`, as key in DB is hashed.
  return NextResponse.json({ ... dbKey, key: data.key });
}

Would be nice to have native support, but this was easy enough.

<!-- gh-comment-id:3217151972 --> @chrisvxd commented on GitHub (Aug 23, 2025): Here's a workaround that worked for me using the server APIs. First, add `organizationId` to the schema (I'm using Drizzle) ```ts export const apiKey = pgTable("apikey", { // ... default schema organizationId: text("organization_id").references(() => organizations.id, { onDelete: "cascade", }), }); ``` Then, create a custom endpoint which first calls the `createApiKey` method, and then updates the row with my organization ```ts export async function POST(request: Request) { // Create key const data = await auth.api.createApiKey({ body: { name: "project-api-key", expiresIn: 60 * 60 * 24 * 7, userId: "user-id", // server-only }, }); // Add organization to row const [dbKey] = await db .update(apiKeys) .set({ organizationId: "organization-id" }) .where(eq(apiKeys.id, data.id)) .returning(); // Provide user with key from `createApiKey`, as key in DB is hashed. return NextResponse.json({ ... dbKey, key: data.key }); } ``` Would be nice to have native support, but this was easy enough.
GiteaMirror commented 2026-04-15 16:10:12 -05:00
Author
Owner
Copy Link

@whitetown commented on GitHub (Aug 23, 2025):

First, add organizationId to the schema (I'm using Drizzle)

I added to metadata... to avoid possible conflicts in the future
And now I need to add another endpoint to show keys for an organization members.

<!-- gh-comment-id:3217257878 --> @whitetown commented on GitHub (Aug 23, 2025): > First, add `organizationId` to the schema (I'm using Drizzle) I added to metadata... to avoid possible conflicts in the future And now I need to add another endpoint to show keys for an organization members.
GiteaMirror commented 2026-04-15 16:10:12 -05:00
Author
Owner
Copy Link

@pranavp10 commented on GitHub (Aug 25, 2025):

Thanks @ping-maxwell, I’ve been eagerly waiting for this feature!

<!-- gh-comment-id:3221091199 --> @pranavp10 commented on GitHub (Aug 25, 2025): Thanks @ping-maxwell, I’ve been eagerly waiting for this feature!
GiteaMirror commented 2026-04-15 16:10:13 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Nov 24, 2025):

Hi, @anaclumos. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You requested a feature to allow API keys to be owned and managed by organizations for easier access control.
  • The issue has seen some community interest, including workarounds shared by users like chrisvxd involving schema changes and custom endpoints.
  • FdezRomero highlighted the importance of this feature and requested prioritization.
  • Despite the interest and discussion, the feature remains unresolved and not yet implemented.

Next Steps

  • Please let me know if this feature is still relevant to your needs with the latest version of better-auth by commenting on this issue.
  • If I don’t hear back within 7 days, I will automatically close this issue to keep the backlog manageable.

Thanks for your understanding and contribution!

<!-- gh-comment-id:3571590526 --> @dosubot[bot] commented on GitHub (Nov 24, 2025): Hi, @anaclumos. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You requested a feature to allow API keys to be owned and managed by organizations for easier access control. - The issue has seen some community interest, including workarounds shared by users like chrisvxd involving schema changes and custom endpoints. - FdezRomero highlighted the importance of this feature and requested prioritization. - Despite the interest and discussion, the feature remains unresolved and not yet implemented. **Next Steps** - Please let me know if this feature is still relevant to your needs with the latest version of better-auth by commenting on this issue. - If I don’t hear back within 7 days, I will automatically close this issue to keep the backlog manageable. Thanks for your understanding and contribution!
GiteaMirror commented 2026-04-15 16:10:13 -05:00
Author
Owner
Copy Link

@mmailaender commented on GitHub (Nov 25, 2025):

This is still relevant. In the workaround the organization API key is still related to a user. This is not ideal as a user can leave a company. Also adding an own API layer to interact with the API keys adds unnecessary API complexity.

<!-- gh-comment-id:3574015663 --> @mmailaender commented on GitHub (Nov 25, 2025): This is still relevant. In the workaround the organization API key is still related to a user. This is not ideal as a user can leave a company. Also adding an own API layer to interact with the API keys adds unnecessary API complexity.
GiteaMirror commented 2026-04-15 16:10:14 -05:00
Author
Owner
Copy Link

@thomasvanvelzen commented on GitHub (Dec 5, 2025):

This is definitely still relevant for me as well. In my case, API keys need to outlive individual users and stay tied to the organization itself. Relying on a user-owned key introduces risk (user leaves, permissions change, etc.) and complicates automation. Native org-owned API keys would avoid the extra API layer and keep access control predictable and maintainable. Would really appreciate official support for this.

<!-- gh-comment-id:3617586345 --> @thomasvanvelzen commented on GitHub (Dec 5, 2025): This is definitely still relevant for me as well. In my case, API keys need to outlive individual users and stay tied to the organization itself. Relying on a user-owned key introduces risk (user leaves, permissions change, etc.) and complicates automation. Native org-owned API keys would avoid the extra API layer and keep access control predictable and maintainable. Would really appreciate official support for this.
GiteaMirror commented 2026-04-15 16:10:15 -05:00
Author
Owner
Copy Link

@giray123 commented on GitHub (Dec 22, 2025):

I am also waiting for the native support for Organization owned API Keys.

<!-- gh-comment-id:3681502085 --> @giray123 commented on GitHub (Dec 22, 2025): I am also waiting for the native support for Organization owned API Keys.
GiteaMirror commented 2026-04-15 16:10:16 -05:00
Author
Owner
Copy Link

@darklight9811 commented on GitHub (Jan 31, 2026):

Any news on this? Its really weird that we can't handle those natively

<!-- gh-comment-id:3828890218 --> @darklight9811 commented on GitHub (Jan 31, 2026): Any news on this? Its really weird that we can't handle those natively
GiteaMirror commented 2026-04-15 16:10:16 -05:00
Author
Owner
Copy Link

@hugodemelo commented on GitHub (Feb 1, 2026):

What makes better auth great its also its plugins, this friction between the api keys and organizations plugin is a severe limitation.

API keys scoped to users create a false ownership model for B2B - when an employee leaves, the org loses its integration until someone else generates a new key.

this feature request should be taken seriously.

<!-- gh-comment-id:3830695896 --> @hugodemelo commented on GitHub (Feb 1, 2026): What makes better auth great its also its plugins, this friction between the api keys and organizations plugin is a severe limitation. API keys scoped to users create a false ownership model for B2B - when an employee leaves, the org loses its integration until someone else generates a new key. this feature request should be taken seriously.
GiteaMirror commented 2026-04-15 16:10:17 -05:00
Author
Owner
Copy Link

@thomasmol commented on GitHub (Feb 1, 2026):

Created a pr here for allowing additionalFields in the api-key plugin schema: https://github.com/better-auth/better-auth/pull/7744

This could already some use-cases for organization based api-keys, although not all

<!-- gh-comment-id:3831332020 --> @thomasmol commented on GitHub (Feb 1, 2026): Created a pr here for allowing `additionalFields` in the `api-key` plugin schema: https://github.com/better-auth/better-auth/pull/7744 This could already some use-cases for organization based api-keys, although not all
GiteaMirror commented 2026-04-15 16:10:17 -05:00
Author
Owner
Copy Link

@heiwen commented on GitHub (Feb 2, 2026):

+1 on this, looking for the same functionality right now.

Seems this is the #1 upvoted issue for better-auth.

@ping-maxwell @bytaesu @himself65 what do you guys think, anything we can help with?

<!-- gh-comment-id:3833170708 --> @heiwen commented on GitHub (Feb 2, 2026): +1 on this, looking for the same functionality right now. Seems this is the #1 upvoted issue for better-auth. @ping-maxwell @bytaesu @himself65 what do you guys think, anything we can help with?
GiteaMirror commented 2026-04-15 16:10:18 -05:00
Author
Owner
Copy Link

@Ciantic commented on GitHub (Feb 11, 2026):

Current API Key implementation is heavily user specific, maybe I would even call current implementation "User API keys" like Personal Access Tokens in other systems.

  • Every user can create API keys, there is no permissions check like "create" or "delete" for API keys
  • Every user can add any permissions to API keys, they are effectively just strings to it

So if you just add manual association to organization, you have to also add ability to filter what permissions per organization is given. Then there is future compatiblity, if your hack works, will it work in next version? These are PATs not organization API Keys.

I think there could be another plugin like organizationApiKeys, and this ApiKeys implementation is restricted for PATs.

(Why this matters? Because PATs (what API keys now are) are different concept from API keys in my opinion. Best would be to rename API Keys to -> Personal Access Tokens, but that is probably not possible anymore.)

<!-- gh-comment-id:3885291840 --> @Ciantic commented on GitHub (Feb 11, 2026): Current API Key implementation is heavily user specific, maybe I would even call current implementation "User API keys" like Personal Access Tokens in other systems. - Every user can create API keys, there is no permissions check like "create" or "delete" for API keys - Every user can add *any* permissions to API keys, they are effectively just strings to it So if you just add manual association to organization, you have to also add ability to filter what permissions per organization is given. Then there is future compatiblity, if your hack works, will it work in next version? These are PATs not organization API Keys. I think there could be another plugin like organizationApiKeys, and this ApiKeys implementation is restricted for PATs. (Why this matters? Because PATs (what API keys now are) are different concept from API keys in my opinion. Best would be to rename API Keys to -> Personal Access Tokens, but that is probably not possible anymore.)
GiteaMirror commented 2026-04-15 16:10:19 -05:00
Author
Owner
Copy Link

@Daspy11 commented on GitHub (Feb 16, 2026):

Having heard so many good things about better auth, I came here and am /baffled/ at the scope of the project while leaving this out. WTF. Not to shit on good honest work from maintainers here, but how did sign in with ethereum end up on the roadmap before org-scoped API keys?

<!-- gh-comment-id:3910968867 --> @Daspy11 commented on GitHub (Feb 16, 2026): Having heard so many good things about better auth, I came here and am /baffled/ at the scope of the project while leaving this out. WTF. Not to shit on good honest work from maintainers here, but how did sign in with ethereum end up on the roadmap before org-scoped API keys?
GiteaMirror commented 2026-04-15 16:10:19 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Feb 16, 2026):

I’d argue that Sign in with Ethereum is more of a priority for an auth framework than API keys. API keys for the most part, can be implemented without needing your auth library to do anything.

That said, we already built a solution for API keys when we first introduced the plugin, using a reference pattern similar to what we did with the Stripe plugin. Our original idea was to avoid making assumptions across plugins and to keep everything fully isolated. For example, if you had your own custom organization implementation, you should still be able to use the API key plugin independently of it

However, based on user demand and how quickly the plugin system was adopted, we’re gradually moving toward tighter integration between certain plugins. We started with the Stripe plugin, and the API key improvements are on the roadmap for the 1.5 release.

<!-- gh-comment-id:3911007600 --> @Bekacru commented on GitHub (Feb 16, 2026): I’d argue that Sign in with Ethereum is more of a priority for an auth framework than API keys. API keys for the most part, can be implemented without needing your auth library to do anything. That said, we already built a solution for API keys when we first introduced the plugin, using a reference pattern similar to what we did with the Stripe plugin. Our original idea was to avoid making assumptions across plugins and to keep everything fully isolated. For example, if you had your own custom organization implementation, you should still be able to use the API key plugin independently of it However, based on user demand and how quickly the plugin system was adopted, we’re gradually moving toward tighter integration between certain plugins. We started with the Stripe plugin, and the API key improvements are on the roadmap for the 1.5 release.
GiteaMirror commented 2026-04-15 16:10:20 -05:00
Author
Owner
Copy Link

@darklight9811 commented on GitHub (Feb 17, 2026):

@Bekacru maybe this could be an opportunity to document a proper way to do inter-plugin communication for more advanced use cases

<!-- gh-comment-id:3917355777 --> @darklight9811 commented on GitHub (Feb 17, 2026): @Bekacru maybe this could be an opportunity to document a proper way to do inter-plugin communication for more advanced use cases
GiteaMirror commented 2026-04-15 16:10:20 -05:00
Author
Owner
Copy Link

@Censacrof commented on GitHub (Feb 18, 2026):

+1 we need this for our SaaS. Our current work-around involved creating a dummy user tied to only one organization each time we need to generate a new api key. It works, but it could be better.

<!-- gh-comment-id:3921229500 --> @Censacrof commented on GitHub (Feb 18, 2026): +1 we need this for our SaaS. Our current work-around involved creating a dummy user tied to only one organization each time we need to generate a new api key. It works, but it could be better.
GiteaMirror commented 2026-04-15 16:10:20 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Feb 19, 2026):

Hey guys, sorry for the delayed updates.
This is being actively worked on. It will be part of the next release.

<!-- gh-comment-id:3929774990 --> @ping-maxwell commented on GitHub (Feb 19, 2026): Hey guys, sorry for the delayed updates. This is being actively worked on. It will be part of the next release.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#17829
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?