Skip to content

feat: add --api-key flag for persistent external API access#32

Merged
msoedov merged 1 commit into
msoedov:mainfrom
bketelsen:feat/external-api-key
Apr 19, 2026
Merged

feat: add --api-key flag for persistent external API access#32
msoedov merged 1 commit into
msoedov:mainfrom
bketelsen:feat/external-api-key

Conversation

@bketelsen

@bketelsen bketelsen commented Apr 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a static, non-expiring API key that enables external tools to access the Mesa API without relying on ephemeral per-run agent keys.

Problem

Mesa's current API keys are dynamically generated per-run, scoped to individual agents, and expire after 60 minutes. This makes it impossible for external orchestration tools, CI/CD pipelines, or wrapper agents to interact with Mesa's API — they can't obtain a valid key without being part of the internal agent roster.

Solution

A new --api-key <key> CLI flag (and MESA_API_KEY_EXTERNAL env var) that configures a persistent external API key:

# Start mesa with an external key
mesa --api-key my-secret-key -t enterprise 3001

# Use it from any external tool
curl -H 'Authorization: Bearer my-secret-key' http://localhost:3001/api/v1/issues

Changes

File Change
cmd/mesa/main.go Parse --api-key flag and MESA_API_KEY_EXTERNAL env, wire to API, print usage on startup
internal/handlers/api.go Add SetExternalKey(), check external key in Auth() middleware before DB lookup, add GET /api/v1/issues list endpoint
internal/handlers/handlers_test.go 3 new tests: valid external key, wrong value, not set

Design Decisions

  • No DB schema changes — the external key is stored in-memory as a SHA-256 hash, checked before the existing DB key lookup
  • Synthetic agent context — external key resolves to a virtual external agent so endpoints that call agentFromContext() work correctly
  • New list endpoint — added GET /api/v1/issues?status=&limit= since external callers need to list all issues (not just an agent's inbox)
  • Backward compatible — no behavior changes when --api-key is not provided

Testing

All existing tests pass. 3 new tests added:

  • TestAuthExternalKey — valid key returns 200 with external agent in context
  • TestAuthExternalKeyWrongValue — wrong key returns 401
  • TestAuthExternalKeyNotSet — without external key configured, falls through to DB lookup

Use Case

I'm building an orchestration layer where an external agent (running outside Mesa) creates work blocks, injects issues, and reads results via the API. The current ephemeral keys make this impossible without direct SQLite access.

@bketelsen
feat: add --api-key flag for persistent external API access
8d1cb6b 
Adds a static, non-expiring API key that enables external tools to access
the Mesa API without relying on ephemeral per-run agent keys.

Changes:
- New --api-key <key> CLI flag (also MESA_API_KEY_EXTERNAL env)
- Auth middleware checks the external key before DB lookup
- External key resolves to a synthetic 'external' agent in context
- New GET /api/v1/issues endpoint for listing all issues (with ?status= and ?limit= filters)
- 3 new tests covering external key auth (valid, wrong value, not set)

The external key is intended for orchestration tools, CI/CD pipelines,
and external agents that need to create issues, read status, or post
comments without being part of the internal agent roster.

Usage:
  mesa --api-key my-secret-key -t enterprise 3001
  curl -H 'Authorization: Bearer my-secret-key' http://localhost:3001/api/v1/issues
@msoedov

msoedov commented Apr 19, 2026

Copy link
Copy Markdown
Owner

LGTM, thank you!

@msoedov msoedov merged commit c0a9aa7 into msoedov:main Apr 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bketelsen @msoedov