feat(auth): add builder-api-key management (create/fetch/revoke)#124
Open
naruto11eth wants to merge 5 commits into
Open
feat(auth): add builder-api-key management (create/fetch/revoke)#124naruto11eth wants to merge 5 commits into
naruto11eth wants to merge 5 commits into
Conversation
Add `BuilderApiKeyInfo` (`key`, `created_at`, `revoked_at`) for the builder-api-key list endpoint and export it. The existing `BuilderApiKey` credential type is unchanged.
Lift the `POLY_BUILDER_*` header construction out of the two relayer resolvers into a single `build_builder_key_headers` so the builder-api-key revoke path can reuse it and the HMAC signing has one source of truth. No behavior change.
Add `create_builder_api_key` / `fetch_builder_api_keys` / `revoke_builder_api_key` (plus sync twins). create and fetch authenticate as the account via `secure_clob`; revoke is signed by the builder key's own HMAC, not account L2.
Expose create/fetch/revoke builder-api-key on the sync and async secure clients. `revoke_builder_api_key` raises `UserInputError` unless the client was created with the builder key to revoke.
Cover the builder-api-key parsers and client methods, including that revoke carries `POLY_BUILDER_*` (builder-key HMAC) and not account L2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports the ts-sdk
/auth/builder-api-keysurface to the secure clients (DEV-153 / #51).create_builder_api_key()/fetch_builder_api_keys()— authenticate as the account (L2 viasecure_clob).createreturns theBuilderApiKeycredential;fetchreturnsBuilderApiKeyInforecords (key,created_at,revoked_at).revoke_builder_api_key()— authenticated by the builder key's own HMAC (POLY_BUILDER_*), per ts-sdk#68 (working-as-intended), not account L2. RaisesUserInputErrorunless the client holds the builder key to revoke.build_builder_key_headersso builder-key HMAC header construction has a single source of truth (the relayer resolvers now reuse it).Sync + async parity. Unit tests cover the parsers and client methods, including a guardrail that
revokecarriesPOLY_BUILDER_*and not account L2.Naming: adds
BuilderApiKeyInfofor the list record (additive — no breaking change);BuilderApiKeystays the credential. A pre-1.0 rename to mirror ts-sdk'sBuilderApiKeyCreds/BuilderApiKeysplit is deferred.Follow-up: a live
@meteredcreate→fetch→revoke round-trip (needs real builder credentials) is intentionally not included here — it's the only check that confirms the server's exact signed inputs.Refs DEV-153, #51
Note
Medium Risk
Touches credential lifecycle and HMAC auth paths; revoke’s builder-key-only signing is security-sensitive but aligned with ts-sdk and covered by tests.
Overview
Adds
/auth/builder-api-keysupport on sync and async secure clients: create and list use account L2 (secure_clob); revoke uses the builder key’s ownPOLY_BUILDER_*HMAC onclob, not L2, and raisesUserInputErrorunless the client was created with thatBuilderApiKey.Introduces
BuilderApiKeyInfofor list rows (key,created_at,revoked_at) and centralizes builder-key signing inbuild_builder_key_headers, reused by relayer resolvers and revoke. Response parsers and unit tests cover auth shapes and the revoke header guardrail.Reviewed by Cursor Bugbot for commit 47dd173. Bugbot is set up for automated code reviews on this repo. Configure here.