[PR #1515] [MERGED] Feat: API Key plugin (rework) #3839

New Issue

GiteaMirror · 2026-03-13T11:16:48-05:00

GiteaMirror commented

2026-03-13 11:16:48 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/1515
Author: @ping-maxwell
Created: 2/20/2025
Status: ✅ Merged
Merged: 2/28/2025
Merged by: @Bekacru

Base: main ← Head: feat/plugin/api-key-rework

📝 Commits (10+)

acb6f02 feat: API-key plugin
b761394 add: deleteAllExpiredApiKeys functionality
e5e0449 fix: fetching sessions from headers
d2f300c update: types & create-api-key now checks for min & max expiresIn values
552c19e tests: Started working on tests
26ec128 add: features
66b8c54 fix: create-api-key's expiration using / instead of *
d1a8317 update: schema metadata transforms invalid values as null
6e52d01 fix: create-api-key metadata should go through transformation
c33cb34 fix: missing metadata wouldn't have 'null' as value

📊 Changes

21 files changed (+4620 additions, -0 deletions)

View changed files

📝 docs/app/docs/[[...slug]]/page.tsx (+4 -0)
➕ docs/components/divider-text.tsx (+13 -0)
➕ docs/components/endpoint.tsx (+48 -0)
📝 docs/components/sidebar-content.tsx (+7 -0)
➕ docs/content/docs/plugins/api-key.mdx (+934 -0)
📝 packages/better-auth/src/client/plugins/index.ts (+1 -0)
➕ packages/better-auth/src/plugins/api-key/api-key.test.ts (+1603 -0)
➕ packages/better-auth/src/plugins/api-key/client.ts (+12 -0)
➕ packages/better-auth/src/plugins/api-key/index.ts (+228 -0)
➕ packages/better-auth/src/plugins/api-key/rate-limit.ts (+97 -0)
➕ packages/better-auth/src/plugins/api-key/routes/create-api-key.ts (+302 -0)
➕ packages/better-auth/src/plugins/api-key/routes/delete-all-expired-api-keys.ts (+37 -0)
➕ packages/better-auth/src/plugins/api-key/routes/delete-api-key.ts (+87 -0)
➕ packages/better-auth/src/plugins/api-key/routes/get-api-key.ts (+69 -0)
➕ packages/better-auth/src/plugins/api-key/routes/index.ts (+92 -0)
➕ packages/better-auth/src/plugins/api-key/routes/list-api-keys.ts (+55 -0)
➕ packages/better-auth/src/plugins/api-key/routes/update-api-key.ts (+284 -0)
➕ packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts (+280 -0)
➕ packages/better-auth/src/plugins/api-key/schema.ts (+194 -0)
➕ packages/better-auth/src/plugins/api-key/types.ts (+272 -0)

...and 1 more files

📄 Description

API Key Plugin

Core features:

Allows you to create, update, get, list & delete API keys.
Allows you to to pass an API Key in the header of an API call, and it will mock a session out of the user who created that API key. (configurable in plugin options)
Rate-limiting built-in.
- Custom rate-limits can be applied per API key, which only goes into effect when an API key is being verified.
- Everything else can use the built-in Better Auth rate-limiting functionality to rate-limit endpoints.
API Key remaining count for limited (or optionally unlimited) verification usage.
API Key refilling functionality to refill the remaining count over a period of time. (useful for subscription use-cases)
Optionally enable or disable a key.
Allows you to pass additional metadata information for each key.
Allows you to pass a prefix for the API key generation.
Other stuff that I probably forgot. 😁

Tests

screenshot of it all

Almost 3x more tests than the old PR. 😅

Create

✅ create api key client without headers (should fail)
✅ create api key client with headers
✅ create api key server without headers (should fail)
✅ create api key server with headers
✅ create api key with custom name
✅ create api key with custom name that's smaller than allowed minimum (should fail)
✅ create api key with custom name that's larger than the allowed maximum (should fail)
✅ create api key with custom prefix
✅ create api key with custom prefix that's smaller than allowed minimum (should fail)
✅ create api key with custom prefix that's larger than the allowed maximum (should fail)
✅ create api key with custom expiresIn
✅ should fail to create key with custom expiresin when customExpiresTime is enabled
✅ create api key with custom expiresIn that's smaller than the allowed minimum (should fail)
✅ create api key with custom expiresIn that's larger than the allowed maximum (should fail)
✅ create api key with custom refillAndAmount from client auth (should fail because this is a server-only-property)
✅ create api key with custom refillInterval (should fail because it requires refillAmount as well)
✅ create api key with custom refillAmount (should fail because refillInterval is required)
✅ create api key with custom refillInterval & refillAmount
✅ create api key with custom remaining
✅ create api key with custom remaining that's smaller than allowed minimum (should fail)
✅ create api key with custom remaining that's larger than the allowed maximum (should fail)
✅ create api key with custom invalid metadata (should fail)
✅ create api key with custom valid metadata
✅ create api key's returned metadata should be an object
✅ create api key with with metadata when metadata is disabled (should fail)
✅ created api key's start property should be valid
✅ created api key's start property should be null if shouldStore is false
✅ created api key's start property should be the first charactersLength characters of the hashed key
✅ create api key with custom rate limit options from client auth (should fail because this is a server-only-property)
✅ create api key with custom rate limit options should apply successfully

Verify

✅ verify api key without headers (should fail)
✅ verify api key with headers
✅ verify api key with invalid key (should fail)
✅ verify api key 10 times in a row (should fail to rate-limits)
✅ should allow us to verify api key after rate-limit window has passed
✅ should check if verifying an api key's remaining count does go down
✅ should fail if the api key has no remaining
✅ Api key should fail if it's expired

Update

✅ update api key name without headers (should fail)
✅ update api key name with headers
✅ should fail to update api key name with a length larger than the allowed maximum
✅ should fail to update api key name with a length smaller than the allowed minimum
✅ should fail to update api key with no values to update
✅ update api key expiresIn value
✅ should fail to update expiresIn value if disableCustomExpiresTime is enabled
✅ update api key expiresIn value that's smaller than allowed minimum (should fail)
✅ update api key expiresIn value that's larger than the allowed maximum (should fail)
✅ update api key remaining value
✅ update api key remaining value that's smaller than allowed minimum (should fail)
✅ update api key remaining value that's larger than the allowed maximum (should fail)
✅ update api key refillInterval value (should fail since it requires refillAmount as well)
✅ update api key refillAmount value (should fail since it requires refillInterval as well)
✅ update api key refillInterval & refillAmount value
✅ update api key enabled value
✅ update api key with invalid metadata value
✅ update api key with valid metadata value
✅ update api key's returned metadata should be an object

Delete

✅ delete api key without headers (should fail)
✅ delete api key with headers
✅ delete api key that doesn't exist (should fail)

Get

✅ get api key by ID without headers (should fail)
✅ get api key by ID with headers
✅ get api key that doesn't exist (should fail)
✅ get api key's returned metadata should be an object
✅ get api key's returned key should not be defined

List

✅ list api keys without headers (should fail)
✅ list api keys with headers
✅ list api keys should contain metadata that are either objects or null

Sessions

✅ When making any request, if headers include x-api-key, then the the request should generate a mock session object for the user.
✅ Custom headers list should still work when calling getSession
✅ Custom key getter function should work

Closes

https://github.com/better-auth/better-auth/issues/1112

What's left? (todo)

✅ Update documentation: done
❌ Update nextjs/demo: Not started
❌ Add openAPI metadata: Not started

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/1515 **Author:** [@ping-maxwell](https://github.com/ping-maxwell) **Created:** 2/20/2025 **Status:** ✅ Merged **Merged:** 2/28/2025 **Merged by:** [@Bekacru](https://github.com/Bekacru) **Base:** `main` ← **Head:** `feat/plugin/api-key-rework` --- ### 📝 Commits (10+) - [`acb6f02`](https://github.com/better-auth/better-auth/commit/acb6f0281a86a59856e4781480105134527a6e6b) feat: API-key plugin - [`b761394`](https://github.com/better-auth/better-auth/commit/b7613943c68f5a433c0f23c9f8d478796a51e172) add: `deleteAllExpiredApiKeys` functionality - [`e5e0449`](https://github.com/better-auth/better-auth/commit/e5e04490e405dde9536303c0aa3f46cf4629f6bb) fix: fetching sessions from headers - [`d2f300c`](https://github.com/better-auth/better-auth/commit/d2f300c28e4e486b02c2d7b9e5d2b3b2c551f2ad) update: types & create-api-key now checks for min & max expiresIn values - [`552c19e`](https://github.com/better-auth/better-auth/commit/552c19e5df1a2b13c18e09751075059cfc43a1d9) tests: Started working on tests - [`26ec128`](https://github.com/better-auth/better-auth/commit/26ec128f4795f9a4034086930279035894b9062c) add: features - [`66b8c54`](https://github.com/better-auth/better-auth/commit/66b8c543facf80842d83b44929ab559766f9065f) fix: create-api-key's expiration using `/` instead of `*` - [`d1a8317`](https://github.com/better-auth/better-auth/commit/d1a8317a2279a90fb8505211bc71f1b33150f6f1) update: schema `metadata` transforms invalid values as `null` - [`6e52d01`](https://github.com/better-auth/better-auth/commit/6e52d01b9b7940a090f9340aa331ea7fe0ac1c45) fix: create-api-key metadata should go through transformation - [`c33cb34`](https://github.com/better-auth/better-auth/commit/c33cb34606c0ebb5a1a0313768f274d3c8ef57ff) fix: missing metadata wouldn't have `'null'` as value ### 📊 Changes **21 files changed** (+4620 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `docs/app/docs/[[...slug]]/page.tsx` (+4 -0) ➕ `docs/components/divider-text.tsx` (+13 -0) ➕ `docs/components/endpoint.tsx` (+48 -0) 📝 `docs/components/sidebar-content.tsx` (+7 -0) ➕ `docs/content/docs/plugins/api-key.mdx` (+934 -0) 📝 `packages/better-auth/src/client/plugins/index.ts` (+1 -0) ➕ `packages/better-auth/src/plugins/api-key/api-key.test.ts` (+1603 -0) ➕ `packages/better-auth/src/plugins/api-key/client.ts` (+12 -0) ➕ `packages/better-auth/src/plugins/api-key/index.ts` (+228 -0) ➕ `packages/better-auth/src/plugins/api-key/rate-limit.ts` (+97 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/create-api-key.ts` (+302 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/delete-all-expired-api-keys.ts` (+37 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/delete-api-key.ts` (+87 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/get-api-key.ts` (+69 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/index.ts` (+92 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/list-api-keys.ts` (+55 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/update-api-key.ts` (+284 -0) ➕ `packages/better-auth/src/plugins/api-key/routes/verify-api-key.ts` (+280 -0) ➕ `packages/better-auth/src/plugins/api-key/schema.ts` (+194 -0) ➕ `packages/better-auth/src/plugins/api-key/types.ts` (+272 -0) _...and 1 more files_ </details> ### 📄 Description # API Key Plugin <img width="1066" alt="image" src="https://github.com/user-attachments/assets/bb20aedc-7197-4aec-8046-badf4ee1b6b5" /> ## Core features: - Allows you to create, update, get, list & delete API keys. - Allows you to to pass an API Key in the header of an API call, and it will mock a session out of the user who created that API key. (configurable in plugin options) - Rate-limiting built-in. - Custom rate-limits can be applied per API key, which only goes into effect when an API key is being verified. - Everything else can use the built-in Better Auth rate-limiting functionality to rate-limit endpoints. - API Key `remaining` count for limited (or optionally unlimited) verification usage. - API Key refilling functionality to refill the `remaining` count over a period of time. (useful for subscription use-cases) - Optionally enable or disable a key. - Allows you to pass additional metadata information for each key. - Allows you to pass a prefix for the API key generation. - Other stuff that I probably forgot. 😁 ## Tests <details> <summary>screenshot of it all</summary> Almost 3x more tests than the old PR. 😅 <img width="555" alt="image" src="https://github.com/user-attachments/assets/ed4db425-df56-48fe-bf24-4aa0670fbfd4" /> </details> <details> <summary>Create</summary> - ✅ create api key client without headers (should fail) - ✅ create api key client with headers - ✅ create api key server without headers (should fail) - ✅ create api key server with headers - ✅ create api key with custom name - ✅ create api key with custom name that's smaller than allowed minimum (should fail) - ✅ create api key with custom name that's larger than the allowed maximum (should fail) - ✅ create api key with custom prefix - ✅ create api key with custom prefix that's smaller than allowed minimum (should fail) - ✅ create api key with custom prefix that's larger than the allowed maximum (should fail) - ✅ create api key with custom expiresIn - ✅ should fail to create key with custom expiresin when `customExpiresTime` is enabled - ✅ create api key with custom expiresIn that's smaller than the allowed minimum (should fail) - ✅ create api key with custom expiresIn that's larger than the allowed maximum (should fail) - ✅ create api key with custom refillAndAmount from client auth (should fail because this is a server-only-property) - ✅ create api key with custom refillInterval (should fail because it requires refillAmount as well) - ✅ create api key with custom refillAmount (should fail because refillInterval is required) - ✅ create api key with custom refillInterval & refillAmount - ✅ create api key with custom remaining - ✅ create api key with custom remaining that's smaller than allowed minimum (should fail) - ✅ create api key with custom remaining that's larger than the allowed maximum (should fail) - ✅ create api key with custom invalid metadata (should fail) - ✅ create api key with custom valid metadata - ✅ create api key's returned metadata should be an object - ✅ create api key with with metadata when metadata is disabled (should fail) - ✅ created api key's start property should be valid - ✅ created api key's start property should be null if `shouldStore` is false - ✅ created api key's start property should be the first `charactersLength` characters of the hashed key - ✅ create api key with custom rate limit options from client auth (should fail because this is a server-only-property) - ✅ create api key with custom rate limit options should apply successfully </details> <details> <summary>Verify</summary> - ✅ verify api key without headers (should fail) - ✅ verify api key with headers - ✅ verify api key with invalid key (should fail) - ✅ verify api key 10 times in a row (should fail to rate-limits) - ✅ should allow us to verify api key after rate-limit window has passed - ✅ should check if verifying an api key's remaining count does go down - ✅ should fail if the api key has no remaining - ✅ Api key should fail if it's expired </details> <details> <summary>Update</summary> - ✅ update api key name without headers (should fail) - ✅ update api key name with headers - ✅ should fail to update api key name with a length larger than the allowed maximum - ✅ should fail to update api key name with a length smaller than the allowed minimum - ✅ should fail to update api key with no values to update - ✅ update api key expiresIn value - ✅ should fail to update expiresIn value if `disableCustomExpiresTime` is enabled - ✅ update api key expiresIn value that's smaller than allowed minimum (should fail) - ✅ update api key expiresIn value that's larger than the allowed maximum (should fail) - ✅ update api key remaining value - ✅ update api key remaining value that's smaller than allowed minimum (should fail) - ✅ update api key remaining value that's larger than the allowed maximum (should fail) - ✅ update api key refillInterval value (should fail since it requires refillAmount as well) - ✅ update api key refillAmount value (should fail since it requires refillInterval as well) - ✅ update api key refillInterval & refillAmount value - ✅ update api key enabled value - ✅ update api key with invalid metadata value - ✅ update api key with valid metadata value - ✅ update api key's returned metadata should be an object </details> <details> <summary>Delete</summary> - ✅ delete api key without headers (should fail) - ✅ delete api key with headers - ✅ delete api key that doesn't exist (should fail) </details> <details> <summary>Get</summary> - ✅ get api key by ID without headers (should fail) - ✅ get api key by ID with headers - ✅ get api key that doesn't exist (should fail) - ✅ get api key's returned metadata should be an object - ✅ get api key's returned key should not be defined </details> <details> <summary>List</summary> - ✅ list api keys without headers (should fail) - ✅ list api keys with headers - ✅ list api keys should contain metadata that are either objects or null </details> <details> <summary>Sessions</summary> - ✅ When making any request, if headers include `x-api-key`, then the the request should generate a mock session object for the user. - ✅ Custom headers list should still work when calling getSession - ✅ Custom key getter function should work </details> ## Closes https://github.com/better-auth/better-auth/issues/1112 ## What's left? (todo) - ✅ Update documentation: done - ❌ Update nextjs/demo: Not started - ❌ Add openAPI metadata: Not started --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-13 11:16:48 -05:00

GiteaMirror closed this issue

2026-03-13 11:16:48 -05:00

GiteaMirror referenced this issue

2026-03-13 12:08:56 -05:00

[PR #3839] [MERGED] fix: avoid general oauth flow duplicate user #5040

GiteaMirror referenced this issue

2026-04-13 08:51:21 -05:00

[PR #3839] [MERGED] fix: avoid general oauth flow duplicate user #13287

GiteaMirror referenced this issue

2026-04-15 20:42:37 -05:00

[PR #3839] [MERGED] fix: avoid general oauth flow duplicate user #21941

GiteaMirror referenced this issue

2026-04-17 21:40:59 -05:00

[PR #3839] [MERGED] fix: avoid general oauth flow duplicate user #30641

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#3839