fix(webapp): honor RevokedApiKey grace window for public access tokens

PATs (public access tokens) are signed with the env's apiKey at mint
time. The original grace-period PR (#3420) updated findEnvironmentByApiKey
to fall back to RevokedApiKey rows for raw secret-key auth, and updated
JWT minting to use the env's current canonical key — but left
validatePublicJwtKey only checking the env's current apiKey. Result:
PATs minted before rotation 401'd immediately on the realtime stream
endpoints, even though the rotation flow advertises a 24h overlap.

Fall back to non-expired RevokedApiKey rows for the signing env (parent
env when the request is against a child) only when the primary signature
check fails. Uses $replica.

Author: ericallam

.server-changes/api-key-rotation-pat-grace-period.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Public Access Tokens (PATs) minted before an API key rotation now keep working during the 24h grace window. `validatePublicJwtKey` falls back to any non-expired `RevokedApiKey` rows for the signing environment when the primary signature check against the env's current `apiKey` fails. The fallback query only runs on the failure path, so the hot success path is unchanged.

apps/webapp/app/models/runtimeEnvironment.server.ts

@@ -109,7 +109,10 @@ export async function findEnvironmentByPublicApiKey(
 
 export async function findEnvironmentById(
   id: string
-): Promise<(AuthenticatedEnvironment & { parentEnvironment: { apiKey: string } | null }) | null> {
+): Promise<
+  | (AuthenticatedEnvironment & { parentEnvironment: { id: string; apiKey: string } | null })
+  | null
+> {
   const environment = await $replica.runtimeEnvironment.findFirst({
     where: {
       id,
@@ -120,6 +123,7 @@ export async function findEnvironmentById(
       orgMember: true,
       parentEnvironment: {
         select: {
+          id: true,
           apiKey: true,
         },
       },

apps/webapp/app/services/realtime/jwtAuth.server.ts

@@ -1,5 +1,6 @@
 import { json } from "@remix-run/server-runtime";
-import { validateJWT } from "@trigger.dev/core/v3/jwt";
+import { validateJWT, type ValidationResult } from "@trigger.dev/core/v3/jwt";
+import { $replica } from "~/db.server";
 import { findEnvironmentById } from "~/models/runtimeEnvironment.server";
 import { AuthenticatedEnvironment } from "../apiAuth.server";
 import { logger } from "../logger.server";
@@ -34,11 +35,23 @@ export async function validatePublicJwtKey(token: string): Promise<ValidatePubli
     return { ok: false, error: "Invalid Public Access Token, environment not found." };
   }
 
-  const result = await validateJWT(
+  let result = await validateJWT(
     token,
     environment.parentEnvironment?.apiKey ?? environment.apiKey
   );
 
+  // PATs are signed with the env's apiKey at mint time. If the env's apiKey
+  // has since been rotated, signature verification fails against the current
+  // key — fall back to any RevokedApiKey rows still in their grace window.
+  // Only run this query on the failure path so the success path is unchanged.
+  if (!result.ok) {
+    result = await validateAgainstRevokedApiKeys(
+      token,
+      environment.parentEnvironment?.id ?? environment.id,
+      result
+    );
+  }
+
   if (!result.ok) {
     switch (result.code) {
       case "ERR_JWT_EXPIRED": {
@@ -71,6 +84,29 @@ export async function validatePublicJwtKey(token: string): Promise<ValidatePubli
   };
 }
 
+async function validateAgainstRevokedApiKeys(
+  token: string,
+  signingEnvironmentId: string,
+  primaryResult: ValidationResult
+): Promise<ValidationResult> {
+  const revokedApiKeys = await $replica.revokedApiKey.findMany({
+    where: {
+      runtimeEnvironmentId: signingEnvironmentId,
+      expiresAt: { gt: new Date() },
+    },
+    select: { apiKey: true },
+  });
+
+  for (const { apiKey } of revokedApiKeys) {
+    const fallbackResult = await validateJWT(token, apiKey);
+    if (fallbackResult.ok) {
+      return fallbackResult;
+    }
+  }
+
+  return primaryResult;
+}
+
 export function isPublicJWT(token: string): boolean {
   // Split the token
   const parts = token.split(".");