[GH-ISSUE #24434] bug: API key regenerated immediately on arrow click — no confirmation or save required #74905

Closed
opened 2026-05-13 07:46:23 -05:00 by GiteaMirror · 3 comments
Owner

Originally created by @schmunk42 on GitHub (May 7, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24434

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.9.2

Ollama Version (if applicable)

No response

Operating System

Debian 12

Browser (if applicable)

Chromium 147.0.7727.137

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Clicking the regenerate/refresh arrow button next to the API key in Settings → Account → API Keys should either:

  • show a confirmation dialog before rotating the token ("Are you sure? All integrations using the current key will stop working immediately."), or
  • stage the new value locally and only persist it after the user explicitly clicks Save.

Actual Behavior

Clicking the arrow button immediately and irrevocably replaces the API key — no confirmation dialog is shown, and no Save button click is required. The old token is invalidated instantly, breaking any active integrations (CI/CD pipelines, API clients, etc.) without warning.

Steps to Reproduce

  1. Start Open WebUI
  2. Log in as any user
  3. Open Settings → Account
  4. Scroll to the API Keys section — note the current key value
  5. Click the arrow/refresh icon (↻) next to the API key
  6. Observe: The token changes immediately — no confirmation dialog, no Save button required
  7. The old API key is now invalid; any service that was using it will receive 401 errors

Logs & Screenshots

> curl -s -H "Authorization: Bearer $OWUI_API_KEY" \
    "https://owui/api/v1/auths/"
{"status_emoji":null,"status_message":null,"status_expires_at":null,"id":"92bbe619-.....","name":"T ...."date_of_birth":null}

Click on "Regenerate"

> curl -s -H "Authorization: Bearer $OWUI_API_KEY" \
    "https://owui/api/v1/auths/"
{"detail":"Your session has expired or the token is invalid. Please sign in again."}%

Additional Information

No response

Originally created by @schmunk42 on GitHub (May 7, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24434 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.9.2 ### Ollama Version (if applicable) _No response_ ### Operating System Debian 12 ### Browser (if applicable) Chromium 147.0.7727.137 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Clicking the regenerate/refresh arrow button next to the API key in Settings → Account → API Keys should either: - show a confirmation dialog before rotating the token ("Are you sure? All integrations using the current key will stop working immediately."), or - stage the new value locally and only persist it after the user explicitly clicks Save. ### Actual Behavior Clicking the arrow button immediately and irrevocably replaces the API key — no confirmation dialog is shown, and no Save button click is required. The old token is invalidated instantly, breaking any active integrations (CI/CD pipelines, API clients, etc.) without warning. ### Steps to Reproduce 1. Start Open WebUI 2. Log in as any user 3. Open Settings → Account 4. Scroll to the API Keys section — note the current key value 5. Click the arrow/refresh icon (↻) next to the API key 6. Observe: The token changes immediately — no confirmation dialog, no Save button required 7. The old API key is now invalid; any service that was using it will receive 401 errors ### Logs & Screenshots ``` > curl -s -H "Authorization: Bearer $OWUI_API_KEY" \ "https://owui/api/v1/auths/" {"status_emoji":null,"status_message":null,"status_expires_at":null,"id":"92bbe619-.....","name":"T ...."date_of_birth":null} ``` Click on "Regenerate" ``` > curl -s -H "Authorization: Bearer $OWUI_API_KEY" \ "https://owui/api/v1/auths/" {"detail":"Your session has expired or the token is invalid. Please sign in again."}% ``` ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-13 07:46:23 -05:00
Author
Owner

@owui-terminator[bot] commented on GitHub (May 7, 2026):

🔍 Related Issues Found

I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions:

  1. 🟣 #20064 issue: Create new API key (CRITICAL)
    Related because it concerns the same API key creation/rotation endpoint and user-facing action. It shows that the API key UI behavior has been a prior issue, even though this report is about immediate regeneration/confirmation rather than failure to create a key.
    by richrich89 · bug

  2. 🟣 #12332 issue: Personal API Key unstable after Upgrade
    Related because it documents personal API keys changing unexpectedly after an upgrade, which overlaps with the core concern here: API keys becoming invalid without user intent or warning.
    by Xeroxxx · bug

  3. 🟣 #13957 issue: Your session has expired or the token is invalid. Please sign in again.
    Related only indirectly: it captures the exact invalid-token/session-expired error that occurs after the key is regenerated, helping confirm the downstream impact of the bug.
    by chrisbeardy · bug


💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead.

This comment was generated automatically. React with 👍 if helpful, 👎 if not.

<!-- gh-comment-id:4399773671 --> @owui-terminator[bot] commented on GitHub (May 7, 2026): <!-- terminator-bot:related-issues-reply --> 🔍 **Related Issues Found** I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions: 1. 🟣 [#20064](https://github.com/open-webui/open-webui/issues/20064) **issue: Create new API key (CRITICAL)** *Related because it concerns the same API key creation/rotation endpoint and user-facing action. It shows that the API key UI behavior has been a prior issue, even though this report is about immediate regeneration/confirmation rather than failure to create a key.* *by richrich89 · `bug`* 2. 🟣 [#12332](https://github.com/open-webui/open-webui/issues/12332) **issue: Personal API Key unstable after Upgrade** *Related because it documents personal API keys changing unexpectedly after an upgrade, which overlaps with the core concern here: API keys becoming invalid without user intent or warning.* *by Xeroxxx · `bug`* 3. 🟣 [#13957](https://github.com/open-webui/open-webui/issues/13957) **issue: Your session has expired or the token is invalid. Please sign in again.** *Related only indirectly: it captures the exact invalid-token/session-expired error that occurs after the key is regenerated, helping confirm the downstream impact of the bug.* *by chrisbeardy · `bug`* --- 💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead. *This comment was generated automatically.* React with 👍 if helpful, 👎 if not.
Author
Owner

@tjbck commented on GitHub (May 8, 2026):

Intended behaviour.

<!-- gh-comment-id:4407940134 --> @tjbck commented on GitHub (May 8, 2026): Intended behaviour.
Author
Owner

@schmunk42 commented on GitHub (May 8, 2026):

@tjbck Is there a reason why this is intended? There are so many places in the UI, where you have to hit "save" to apply changes. But this very critical value is changed - as mentioned - without confirm or save. What am I missing here?

Actually I misclicked the button, I hit regenerate instead of copy - that's how I stumbled upon this.

<!-- gh-comment-id:4408405617 --> @schmunk42 commented on GitHub (May 8, 2026): @tjbck Is there a reason why this is intended? There are so many places in the UI, where you have to hit "save" to apply changes. But this very critical value is changed - as mentioned - without confirm or save. What am I missing here? Actually I misclicked the button, I hit regenerate instead of copy - that's how I stumbled upon this.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#74905