Skip to content

feat(api-token): add instance admin token #2657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Piskoo wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(api-token): add instance admin token #2657

Piskoo wants to merge 7 commits into from
+347 −184

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Jan 13, 2026
edited
Loading

Summary

This PR adds support for instance admin tokens to existing api token logic

Changes

  • Organization in api tokens is now optional
  • Adds an explicit JWT scope claim for instance admin API tokens to enable clearer identification
  • Add permissions(policies) planned for instance admin token
  • Adds correct handling for instance admin tokens to api token middleware

Piskoo added 6 commits January 13, 2026 14:01
@Piskoo
instance admin token
c1ddad3 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
missing policies
60b4c7a 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
regenerate mocks
e66a5e7 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
migration fix
50253b9 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
fix test
72e92d9 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
lint
e2adba2 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo Piskoo changed the title feat(api-token): add instance token support feat(api-token): add instance admin token support Jan 13, 2026
@Piskoo Piskoo changed the title feat(api-token): add instance admin token support feat(api-token): add instance admin token Jan 13, 2026
@Piskoo Piskoo marked this pull request as ready for review January 13, 2026 14:05
@Piskoo Piskoo requested review from jiparis and migmartri January 13, 2026 14:05
migmartri
migmartri reviewed Jan 13, 2026
View reviewed changes
app/controlplane/pkg/data/ent/migrate/migrations/20260112115927.sql
ALTER TABLE "api_tokens" ALTER COLUMN "organization_id" DROP NOT NULL;

-- Create index "apitoken_name" to table: "api_tokens"
CREATE UNIQUE INDEX "apitoken_name" ON "api_tokens" ("name") WHERE ((revoked_at IS NULL) AND (organization_id IS NULL));
Copy link
Member

@migmartri migmartri Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that now you can have an API token with the same name in the same org?

Copy link
Collaborator Author

@Piskoo Piskoo Jan 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, you can have an instance admin API token with the same name if the other one with the same name was revoked, the same way as org API tokens in here

chainloop/app/controlplane/pkg/data/ent/schema/apitoken.go

Lines 68 to 69 in 4dc6b0a

index.Fields("name").Edges("organization").Unique().Annotations(
entsql.IndexWhere("revoked_at IS NULL AND project_id IS NULL"),

@Piskoo
allow empty org in list
788728d 
Signed-off-by: Sylwester Piskozub <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@jiparis jiparis Awaiting requested review from jiparis

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Piskoo @migmartri