Skills

adding-project-secret-api-key-auth

Installation
SKILL.md

Adding project secret API key (PSAK) auth to an endpoint

What a PSAK is

A ProjectSecretAPIKey is a project-scoped, user-less service credential (posthog/models/project_secret_api_key.py). It behaves like a personal API key but survives users leaving the project, carries its own scopes, and authenticates as a synthetic user — not a real User row.

  • Token format: phs_... (Bearer header only — no body fallback, unlike the legacy token).
  • Scopes are project-wide within their resource type and deliberately ignore object-level access controls (per-resource RBAC).
  • Do not confuse with TeamSecretTokenAuthentication — that validates the legacy per-team Team.secret_api_token (also phs_-prefixed) and is only for feature-flag local evaluation and similar pre-PSAK surfaces. It is pegged for migrating to PSAK at some point.

Keys are managed at POST /api/environments/:id/project_secret_api_keys (label + scopes; plaintext value returned once; roll action to rotate; max 50 per project; wildcard * scope not allowed).

Wiring a viewset action — the checklist

The machinery is shipped but nothing is wired to it yet — the first planned consumer is the endpoints (the product) run action. Four things, all required:

1. Whitelist the scope/action pair

PSAK-assignable scopes are a global allowlist in posthog/scopes.py:

Installs
3
Repository
posthog/posthog-foss
GitHub Stars
513
First Seen
3 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
adding-project-secret-api-key-auth — posthog/posthog-foss