API auth feature requests

Just a handful of misc feature requests related to API tokens, I’m guessing many are already known. All “nice-to-have”.

1. Re-identifying tokens

Make it possible to re-identify keys in the dashboard, eg show the last few bits of the key “••••b33f”. Helpful when you didn’t create distinguishing enough key comments. (Mint larger/longer keys to compensate for the revealed entropy, I guess).

2. Consolidate/hide “fly ui” tokens

Somehow I’ve got a couple dozen “fly ui” tokens in my panel now. Doubt anyone needs granular control over these, maybe just a “log out other dashboard sessions” button…?

3. Record & show “last used” by key

Always nice when you can see when a platform last observed a key - helpful in periodic audits & cleanup (“eh, hasn’t been used in months - let’s delete it, unlikely to break prod”). Bonus points for IP and user-agent here.

4. Be an oauth provider

It’d be great if instead of prompting a customer to vend an API token, we could thunk folks over to fly.io for one, similar to how GitHub etc work. Saves the copy/paste, and as a bonus gives Fly some addl controls and visibility into api integrations (e.g. see how many instances of an app there are, rate limit all of $BAD_APP’s keys differently, etc).

5. Permission scopes

Have to imagine you’re working on it. Most useful scopes to me would be (a) org-level (limit to specific org), (b) r/o vs r/w. Just don’t create another aws IAM maze… :slight_smile:

cheers!

1 Like

We’re working on these! Specifically, we’re working on a Macarons based setup that will give you #5, and make #4 pretty easy.

The ultimate goal is to get to the point where we don’t even keep your tokens, they just pass through and get verified at the last minute to allow infrastructure changes. The first thing you’ll probably see is a reduced scope token to put into CI for deploys, and then I expect other stuff will happen quickly.

I expect audits to come soon as well, but we have to do the token work first.

2 Likes