v0.0.9
API key management and scoped API access release for the Next.js application template.
v0.0.9
v0.0.9 adds API key management and scoped machine access to the template. It introduces personal
and organization keys, a starter /api/v1 surface, and settings UI for creating, updating,
disabling, and deleting keys.
Highlights
- Personal API keys are managed from
/user/api-keys. - Organization API keys are managed from
/w/:organizationKey/settings/api-keys. - API clients authenticate with the
x-api-keyheader instead of browser session cookies. - Keys support one-time secret display, permission presets, expiration, and rate limits.
- Starter
/api/v1endpoints expose key metadata, organizations, organization members, teams, and team members. - Owner and admin workspace roles can manage organization keys by default.
What changed for template users
Personal keys act as the owning user and can read organization data only while that user remains a member. Organization keys act as one workspace organization and stay scoped to that organization. Both key families use explicit permissions, so product teams can add their own API routes and permission presets without exposing raw Better Auth records to client code.
The management pages include education copy, create and edit dialogs, status metadata, key prefix display, scope summaries, rate-limit values, expiration state, last-use state, and delete confirmation.
Upgrade notes
- A Prisma migration is required before using API key features.
- Regenerate the Prisma client after installing dependencies so
prisma.apiKeyis available. - API clients must send keys in the
x-api-keyheader. - Key secrets are shown only once at creation time.
- Normal edits do not renew expiration automatically; renewal is explicit.
- Node.js 22+ is recommended because the current cache handler dependency requires it.
Quality
The release adds OpenSpec requirements, Jest coverage for API key configuration, permissions, schemas, actions, route handlers, management helpers, and UI behavior, plus Playwright coverage for personal keys, organization keys, and organization permission boundaries.