feat: Add API token support via @better-auth/api-key

[Rhonstin]

Summary

• Add @better-auth/api-key plugin for programmatic API access
• Create API Tokens settings page with full CRUD UI
• Enable session mocking for seamless integration with existing auth middleware

Changes

Backend

• app/server/lib/auth.ts: Added apiKey() plugin configuration
  • User-scoped keys with zb_ prefix
  • enableSessionForAPIKeys: true for automatic session creation

Frontend

• app/client/lib/auth-client.ts: Added apiKeyClient() plugin
• app/client/modules/settings/components/api-tokens-section.tsx: New UI component
• app/client/modules/settings/routes/settings.tsx: Added "API Tokens" tab

Usage

Create Token

curl -X POST /api/auth/api-key/create \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"name":"mcp-server"}'

Authenticate

curl -H "x-api-key: zb_..." /api/v1/volumes

Features

• Create tokens via Settings → API Tokens
• 90-day default expiration
• Enable/disable and revoke tokens
• Compatible with existing requireAuth middleware

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 596691bf-60f2-4553-bdcc-b2e9ab793100

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​better-auth/​api-key@​1.6.14

View full report

[nicotsx]

Hello @Rhonstin thanks for putting this together, unfortunately we already had two PRs lined up for this exact feature. I will close this one as the feature has already landed in main. Next time if you could discuss the implementation in the issue before jumping on implementation it will be easier to align