Activity

Summary

This PR proposes an architecture decision for implementing per-user API keys to support multi-tenant SaaS deployments.

Problem

Currently, a single API key grants access to ALL users' data. If compromised in a SaaS context, it's a total data breach.

Solution

Each user gets their own API key, scoped to only their data:

• Key generated on OAuth completion
• Returned to calling app (Laravel) for storage
• All API calls validated against user_id in path
• Compromised key = single user affected

Key Changes Proposed

1. Add api_key_hash, api_key_prefix columns to User model
2. Generate API key during OAuth callback
3. New auth guard that validates key ownership
4. Backward compatible with existing single API key mode

Test plan

• Review ADR for architectural soundness
• Identify any security concerns
• Validate backward compatibility approach
• Confirm implementation plan is complete

🤖 Generated with Claude Code