Skip to content

feat(cli,webapp): mint short-lived delegated tokens that act as a user#3997

Merged
ericallam merged 1 commit into
mainfrom
feat/delegated-user-actor-token
Jun 19, 2026
Merged

feat(cli,webapp): mint short-lived delegated tokens that act as a user#3997
ericallam merged 1 commit into
mainfrom
feat/delegated-user-actor-token

Conversation

@ericallam

@ericallam ericallam commented Jun 19, 2026

Copy link
Copy Markdown
Member

Summary

Adds a short-lived, delegated token (tr_uat_...) that authenticates against the API as a user without handing out a long-lived personal access token. You mint one from a PAT, optionally narrow it to a set of scopes, and give it a lifetime; the API then treats requests as that user, subject to their role.

trigger.dev mint-token is the entry point (it uses your stored PAT):

UAT=$(trigger.dev mint-token --ttl 3600 --cap read:runs)

The token works anywhere a PAT does for user-level endpoints, and can be exchanged for an environment JWT at POST /api/v1/projects/:ref/:env/jwt to reach environment-scoped data (the same exchange a PAT supports).

How it works

A user-actor token is a short-lived JWT verified by a new first-class authenticateUserActor method on the RBAC plugin. Self-hosters get a built-in fallback; role-aware enforcement comes from the plugin. Effective permissions are the intersection of the user's role and the token's optional scope cap, so a token is only ever narrower than the user, never broader.

Minting is restricted to personal access tokens (a token can't mint another one, and an environment key can't mint one). Tokens default to a 1 hour lifetime (max 365 days). When exchanged for an environment JWT, the user is stamped on it for attribution and the scope cap is carried through.

@changeset-bot

changeset-bot Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 9ad2316

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 26 packages
Name Type
trigger.dev Patch
@trigger.dev/build Patch
@trigger.dev/core Patch
@trigger.dev/plugins Patch
@trigger.dev/python Patch
@trigger.dev/react-hooks Patch
@trigger.dev/redis-worker Patch
@trigger.dev/rsc Patch
@trigger.dev/schema-to-json Patch
@trigger.dev/sdk Patch
@trigger.dev/database Patch
@trigger.dev/otlp-importer Patch
@trigger.dev/rbac Patch
@trigger.dev/sso Patch
@internal/cache Patch
@internal/clickhouse Patch
@internal/llm-model-catalog Patch
@internal/redis Patch
@internal/replication Patch
@internal/run-engine Patch
@internal/schedule-engine Patch
@internal/testcontainers Patch
@internal/tracing Patch
@internal/tsql Patch
@internal/zod-worker Patch
@internal/sdk-compat-tests Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9b7743c1-43fe-4ff9-bd49-1f46023c999d

📥 Commits

Reviewing files that changed from the base of the PR and between feb93a7 and 9ad2316.

📒 Files selected for processing (14)
  • .changeset/mint-token-command.md
  • apps/webapp/app/routes/api.v1.auth.user-actor-token.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
  • apps/webapp/app/services/environmentVariableApiAccess.server.ts
  • apps/webapp/app/services/personalAccessToken.server.ts
  • apps/webapp/app/services/rbac.server.ts
  • apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
  • internal-packages/rbac/src/fallback.ts
  • internal-packages/rbac/src/index.ts
  • packages/cli-v3/src/apiClient.ts
  • packages/cli-v3/src/cli/index.ts
  • packages/cli-v3/src/commands/mint-token.ts
  • packages/plugins/src/index.ts
  • packages/plugins/src/rbac.ts
✅ Files skipped from review due to trivial changes (1)
  • .changeset/mint-token-command.md
🚧 Files skipped from review as they are similar to previous changes (13)
  • packages/plugins/src/index.ts
  • packages/cli-v3/src/cli/index.ts
  • packages/cli-v3/src/apiClient.ts
  • apps/webapp/app/services/environmentVariableApiAccess.server.ts
  • apps/webapp/app/services/personalAccessToken.server.ts
  • apps/webapp/app/services/rbac.server.ts
  • internal-packages/rbac/src/index.ts
  • apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
  • internal-packages/rbac/src/fallback.ts
  • packages/plugins/src/rbac.ts
  • packages/cli-v3/src/commands/mint-token.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
  • apps/webapp/app/routes/api.v1.auth.user-actor-token.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (33)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
  • GitHub Check: typecheck / typecheck
  • GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: 🛡️ E2E Auth Tests (full)
  • GitHub Check: Build and publish previews

Walkthrough

This PR introduces a delegated "user-actor" token (UAT) system and a trigger.dev mint-token CLI command. The token grammar (tr_uat_ prefix, JWT sign/verify functions, UserActorClaims, UserActorAuthResult) is defined in packages/plugins/src/rbac.ts and propagated through the RBAC package's fallback controller and lazy controller via a new authenticateUserActor method. A new webapp API route (api.v1.auth.user-actor-token) mints short-lived UATs from a caller's PAT with optional cap, client, and ttlSeconds parameters. Existing webapp routes and services (env.jwt, apiBuilder, personalAccessToken, environmentVariableApiAccess) are updated to accept and verify UATs alongside PATs. The CLI gains a mint-token command backed by a new CliApiClient.mintUserActorToken method.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is largely incomplete and does not follow the repository template structure, missing key sections like the issue reference, checklist, testing steps, and changelog. Add the missing template sections: close with an issue reference, include the checklist with all items, document testing steps, provide a changelog entry, and add screenshots if applicable.
Docstring Coverage ⚠️ Warning Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the primary change: adding a feature to mint short-lived delegated tokens that authenticate as a user, which is the main objective of the PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/delegated-user-actor-token

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ericallam ericallam marked this pull request as ready for review June 19, 2026 14:31
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@ericallam ericallam force-pushed the feat/delegated-user-actor-token branch from feb93a7 to 9ad2316 Compare June 19, 2026 14:54
@pkg-pr-new

pkg-pr-new Bot commented Jun 19, 2026

Copy link
Copy Markdown

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@9ad2316

trigger.dev

npm i https://pkg.pr.new/trigger.dev@9ad2316

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@9ad2316

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@9ad2316

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@9ad2316

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@9ad2316

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@9ad2316

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@9ad2316

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@9ad2316

commit: 9ad2316

@ericallam ericallam enabled auto-merge (squash) June 19, 2026 15:18
@ericallam ericallam merged commit 06969b2 into main Jun 19, 2026
53 checks passed
@ericallam ericallam deleted the feat/delegated-user-actor-token branch June 19, 2026 15:18
@github-actions github-actions Bot mentioned this pull request Jun 19, 2026
Open
@ericallam ericallam mentioned this pull request Jun 20, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@matt-aitken matt-aitken matt-aitken approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ericallam @matt-aitken