coder
diff --git a/‎Makefile‎
Lines changed: 7 additions & 0 deletions b/‎Makefile‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go‎
Lines changed: 86 additions & 11 deletions b/‎coderd/apidoc/docs.go‎
Lines changed: 86 additions & 11 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 88 additions & 8 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 88 additions & 8 deletions
diff --git a/‎coderd/apikey.go‎
Lines changed: 14 additions & 4 deletions b/‎coderd/apikey.go‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎coderd/apikey/apikey.go‎
Lines changed: 24 additions & 11 deletions b/‎coderd/apikey/apikey.go‎
Lines changed: 24 additions & 11 deletions
diff --git a/‎coderd/apikey_scopes_validation_test.go‎
Lines changed: 47 additions & 0 deletions b/‎coderd/apikey_scopes_validation_test.go‎
Lines changed: 47 additions & 0 deletions
@@ -647,6 +647,7 @@ GEN_FILES := \
 	coderd/rbac/object_gen.go \
 	codersdk/rbacresources_gen.go \
 	coderd/rbac/scopes_constants_gen.go \
+	codersdk/apikey_scopes_gen.go \
 	docs/admin/integrations/prometheus.md \
 	docs/reference/cli/index.md \
 	docs/admin/security/audit-logs.md \
@@ -860,6 +861,12 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m
 	mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go
 	touch "$@"
 
+codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go
+	# Generate SDK constants for public low-level API key scopes.
+	go run ./scripts/apikeyscopesgen > /tmp/apikey_scopes_gen.go
+	mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go
+	touch "$@"
+
 site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 	go run scripts/typegen/main.go rbac typescript > "$@"
 	(cd site/ && pnpm exec biome format --write src/api/rbacresourcesGenerated.ts)
 
@@ -66,9 +66,19 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	scope := database.APIKeyScopeAll
-	if scope != "" {
-		scope = database.APIKeyScope(createToken.Scope)
+	// Map and validate requested scope.
+	// Accept special scopes (all, application_connect) and curated public low-level scopes.
+	scopes := database.APIKeyScopes{database.APIKeyScopeAll}
+	if createToken.Scope != "" {
+		name := string(createToken.Scope)
+		if !rbac.IsExternalScope(rbac.ScopeName(name)) {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Failed to create API key.",
+				Detail:  fmt.Sprintf("invalid API key scope: %q", name),
+			})
+			return
+		}
+		scopes = database.APIKeyScopes{database.APIKeyScope(name)}
 	}
 
 	tokenName := namesgenerator.GetRandomName(1)
@@ -81,7 +91,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
-		Scope:           scope,
+		Scopes:          scopes,
 		TokenName:       tokenName,
 	}
 
 
@@ -25,9 +25,16 @@ type CreateParams struct {
 	// Optional.
 	ExpiresAt       time.Time
 	LifetimeSeconds int64
-	Scope           database.APIKeyScope
-	TokenName       string
-	RemoteAddr      string
+	// Scope is legacy single-scope input kept for backward compatibility.
+	//
+	// Deprecated: Prefer Scopes for new code.
+	Scope database.APIKeyScope
+	// Scopes is the full list of scopes to attach to the key.
+	// If empty and Scope is set, the generator will use [Scope].
+	// If both are empty, the generator will default to [APIKeyScopeAll].
+	Scopes     database.APIKeyScopes
+	TokenName  string
+	RemoteAddr string
 }
 
 // Generate generates an API key, returning the key as a string as well as the
@@ -62,14 +69,20 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 
 	bitlen := len(ip) * 8
 
-	scope := database.APIKeyScopeAll
-	if params.Scope != "" {
-		scope = params.Scope
-	}
-	switch scope {
-	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
+	var scopes database.APIKeyScopes
+	switch {
+	case len(params.Scopes) > 0:
+		scopes = params.Scopes
+	case params.Scope != "":
+		scopes = database.APIKeyScopes{params.Scope}
 	default:
-		return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
+		scopes = database.APIKeyScopes{database.APIKeyScopeAll}
+	}
+
+	for _, s := range scopes {
+		if !s.Valid() {
+			return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", s)
+		}
 	}
 
 	token := fmt.Sprintf("%s-%s", keyID, keySecret)
@@ -92,7 +105,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 		UpdatedAt:    dbtime.Now(),
 		HashedSecret: hashed[:],
 		LoginType:    params.LoginType,
-		Scopes:       database.APIKeyScopes{scope},
+		Scopes:       scopes,
 		AllowList:    database.AllowList{database.AllowListWildcard()},
 		TokenName:    params.TokenName,
 	}, token, nil
 
@@ -0,0 +1,47 @@
+package coderd_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestTokenCreation_ScopeValidation(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name    string
+		scope   codersdk.APIKeyScope
+		wantErr bool
+	}{
+		{name: "AllowsPublicLowLevelScope", scope: "workspace:read", wantErr: false},
+		{name: "RejectsInternalOnlyScope", scope: "debug_info:read", wantErr: true},
+		{name: "AllowsLegacyScopes", scope: "application_connect", wantErr: false},
+		{name: "AllowsCanonicalSpecialScope", scope: "all", wantErr: false},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client := coderdtest.New(t, nil)
+			_ = coderdtest.CreateFirstUser(t, client)
+
+			ctx, cancel := context.WithTimeout(t.Context(), testutil.WaitShort)
+			defer cancel()
+
+			resp, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{Scope: tc.scope})
+			if tc.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotEmpty(t, resp.Key)
+		})
+	}
+}