Skip to content

feat(auth): require API key alongside whitelisted hotkey#3

Merged
echobt merged 2 commits intomainfrom
feat/add-worker-api-key-auth
Feb 17, 2026
Merged

feat(auth): require API key alongside whitelisted hotkey#3
echobt merged 2 commits intomainfrom
feat/add-worker-api-key-auth

Conversation

@echobt
Copy link
Contributor

@echobt echobt commented Feb 17, 2026

Summary

Add a mandatory API key verification step to the existing hotkey-based authentication flow. Whitelisted hotkeys must now also provide a valid API key via the X-Api-Key header, configured through the WORKER_API_KEY environment variable.

Changes

  • src/auth.rs: Add api_key field to AuthHeaders, extract X-Api-Key header in extract_auth_headers(), and validate it against the expected key in verify_request(). Add InvalidApiKey variant to AuthError with appropriate error messages and codes. Move sp_ss58_checksum helper before the test module to fix clippy items_after_test_module lint.
  • src/config.rs: Add worker_api_key field to Config, loaded from the required WORKER_API_KEY env var. Log confirmation that the key is configured on startup.
  • src/handlers.rs: Pass config.worker_api_key to verify_request() and update the missing-headers error message to include X-Api-Key.
  • AGENTS.md: Document the new WORKER_API_KEY env var and updated authentication requirements.
  • Cargo.lock: Version bump to 1.1.0.

Testing

  • New unit tests: test_verify_request_invalid_api_key and test_extract_auth_headers_missing_api_key
  • Existing tests updated to include the api_key field

Breaking Changes

  • WORKER_API_KEY environment variable is now required — the server will panic on startup if it is not set.
  • All POST /submit requests must include a valid X-Api-Key header in addition to the existing auth headers.

@echobt
feat(auth): require API key alongside hotkey for authentication
9ff5cf8 
Add a WORKER_API_KEY environment variable (required) that whitelisted hotkeys
must provide via the X-Api-Key HTTP header to access protected endpoints.

Authentication now requires both a valid whitelisted hotkey (X-Hotkey) and a
matching API key (X-Api-Key) for submitting batches via POST /submit. This adds
a second layer of request validation controlled by the worker operator.

Changes:
- auth.rs: Add api_key field to AuthHeaders, extract X-Api-Key header in
  extract_auth_headers, add InvalidApiKey variant to AuthError, and validate
  the API key in verify_request against the expected value. Added tests for
  invalid API key rejection and missing header detection.
- config.rs: Add worker_api_key field to Config, loaded from WORKER_API_KEY
  env var (panics if unset). Log confirmation at startup.
- handlers.rs: Pass worker_api_key from config to verify_request, update
  error message to list X-Api-Key as a required header.
- AGENTS.md: Document WORKER_API_KEY env var and updated auth flow.
- Cargo.lock: Version bump to 1.1.0.
@echobt
ci: trigger CI run
5f7b0c0
@coderabbitai
Copy link

coderabbitai bot commented Feb 17, 2026
edited
Loading

Warning

Rate limit exceeded

@echobt has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 42 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/add-worker-api-key-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@echobt echobt merged commit 887f72b into main Feb 17, 2026
3 checks passed
@echobt echobt deleted the feat/add-worker-api-key-auth branch February 17, 2026 16:45
github-actions bot pushed a commit that referenced this pull request Feb 17, 2026
@semantic-release-bot
chore(release): 1.2.0 [skip ci]
3e45f6e 
# [1.2.0](v1.1.0...v1.2.0) (2026-02-17)

### Features

* **auth:** add sr25519 signature + nonce verification ([dc8d8d4](dc8d8d4))
* **auth:** require API key alongside whitelisted hotkey ([#3](#3)) ([887f72b](887f72b))
@github-actions
Copy link

github-actions bot commented Feb 17, 2026

🎉 This PR is included in version 1.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@echobt