Restructure deployment docs (#41928)

GitOrigin-RevId: 1450a3152cb6436d9112eebd9f77c6f6866a1b0b

Author: thomasballinger

crates/local_backend/src/environment_variables.rs

@@ -76,6 +76,12 @@ pub struct UpdateEnvVarsRequest {
     path = "/update_environment_variables",
     request_body = UpdateEnvVarsRequest,
     responses((status = 200)),
+    security(
+        ("Deploy Key" = []),
+        ("OAuth Team Token" = []),
+        ("Team Token" = []),
+        ("OAuth Project Token" = []),
+    ),
 )]
 pub async fn update_environment_variables(
     State(st): State<LocalAppState>,
@@ -120,6 +126,12 @@ pub struct ListEnvVarsResponse {
     responses(
         (status = 200, body = ListEnvVarsResponse)
     ),
+    security(
+        ("Deploy Key" = []),
+        ("OAuth Team Token" = []),
+        ("Team Token" = []),
+        ("OAuth Project Token" = []),
+    ),
 )]
 pub async fn list_environment_variables(
     State(st): State<LocalAppState>,

crates/local_backend/src/router.rs

@@ -43,7 +43,15 @@ use tower_http::{
     decompression::RequestDecompressionLayer,
 };
 use udf::HTTP_ACTION_BODY_LIMIT;
-use utoipa::OpenApi;
+use utoipa::{
+    openapi::security::{
+        ApiKey,
+        ApiKeyValue,
+        SecurityScheme,
+    },
+    Modify,
+    OpenApi,
+};
 use utoipa_axum::router::OpenApiRouter;
 
 use crate::{
@@ -152,17 +160,87 @@ use crate::{
     RouterState,
 };
 
-// TODO security per endpoint
+// Security addon for documenting authentication methods
+#[derive(Debug)]
+struct SecurityAddon;
+
+impl Modify for SecurityAddon {
+    fn modify(&self, openapi: &mut utoipa::openapi::OpenApi) {
+        if let Some(schema) = openapi.components.as_mut() {
+            /*
+            // Admin keys look just like deployment keys but there's no need to
+            // contact api.convex.dev to validate them) and cannot be revoked.
+            // The Convex Cloud product avoids giving them out.
+            // We can document this once the distinction between these is clearer.
+            schema.add_security_scheme(
+                "Admin Key",
+                SecurityScheme::Http(
+                    HttpBuilder::new()
+                        .scheme(HttpAuthScheme::Bearer)
+                        .description(Some(
+                            "Admin keys provide full access to a deployment. Created in the \
+                             [dashboard](https://docs.convex.dev/dashboard/deployments/deployment-settings#url-and-deploy-key) \
+                             or via API. Use the `Convex ` prefix (e.g., `Convex <admin_key>`).",
+                        ))
+                        .build(),
+                ),
+            );
+            */
+            schema.add_security_scheme(
+                "Deploy Key",
+                SecurityScheme::ApiKey(ApiKey::Header(
+                    ApiKeyValue::with_description(
+                        "Authorization",
+                        "Deploy keys are used for deployment operations. See \
+                         [deploy key types](https://docs.convex.dev/cli/deploy-key-types) for more information. \
+                         Use the `Convex ` prefix (e.g., `Convex <deploy_key>`).",
+                    ),
+                )),
+            );
+            schema.add_security_scheme(
+                "OAuth Team Token",
+                SecurityScheme::ApiKey(ApiKey::Header(
+                    ApiKeyValue::with_description(
+                        "Authorization",
+                        "Obtained through a [Convex OAuth application](https://docs.convex.dev/management-api). \
+                         Use the `Convex ` prefix (e.g., `Convex <oauth_token>`).",
+                    ),
+                )),
+            );
+            schema.add_security_scheme(
+                "Team Token",
+                SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                    "Authorization",
+                    "Created in the dashboard under team settings for any team you can manage. \
+                     Use the `Convex ` prefix (e.g., `Convex <team_token>`).",
+                ))),
+            );
+            schema.add_security_scheme(
+                "OAuth Project Token",
+                SecurityScheme::ApiKey(ApiKey::Header(
+                    ApiKeyValue::with_description(
+                        "Authorization",
+                        "Obtained through a [Convex OAuth application](https://docs.convex.dev/management-api) \
+                         with project scope. Use the `Convex ` prefix (e.g., `Convex <oauth_project_token>`).",
+                    ),
+                )),
+            );
+        }
+    }
+}
 
 #[derive(OpenApi)]
 #[openapi(
+    modifiers(&SecurityAddon),
     info(
         title = "Convex Deployment API",
         version = "1.0.0",
-        description = "Admin API for interacting with deployments",
+        description = "Admin API for interacting with deployments.",
     ),
     servers(
-        (url = "/api/v1", description = "Deployment API")
+        (url = "{deployment-url}/api/v1", description = "Your Convex deployment", variables(
+            ("deployment-url" = (default = "https://happy-animal-123.convex.cloud", description = "Your deployment URL"))
+        ))
     )
 )]
 struct PlatformApiDoc;

npm-packages/@convex-dev/platform/deployment-openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Convex Deployment API",
-    "description": "Admin API for interacting with deployments",
+    "description": "Admin API for interacting with deployments.",
     "license": {
       "name": "LicenseRef-FSL-1.1-Apache-2.0",
       "identifier": "LicenseRef-FSL-1.1-Apache-2.0"
@@ -11,8 +11,14 @@
   },
   "servers": [
     {
-      "url": "/api/v1",
-      "description": "Deployment API"
+      "url": "{deployment-url}/api/v1",
+      "description": "Your Convex deployment",
+      "variables": {
+        "deployment-url": {
+          "default": "https://happy-animal-123.convex.cloud",
+          "description": "Your deployment URL"
+        }
+      }
     }
   ],
   "paths": {
@@ -35,7 +41,21 @@
           "200": {
             "description": ""
           }
-        }
+        },
+        "security": [
+          {
+            "Deploy Key": []
+          },
+          {
+            "OAuth Team Token": []
+          },
+          {
+            "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
+          }
+        ]
       }
     },
     "/list_environment_variables": {
@@ -54,7 +74,21 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "Deploy Key": []
+          },
+          {
+            "OAuth Team Token": []
+          },
+          {
+            "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
+          }
+        ]
       }
     },
     "/update_canonical_url": {
@@ -190,6 +224,32 @@
           }
         }
       }
+    },
+    "securitySchemes": {
+      "Deploy Key": {
+        "type": "apiKey",
+        "in": "header",
+        "name": "Authorization",
+        "description": "Deploy keys are used for deployment operations. See [deploy key types](https://docs.convex.dev/cli/deploy-key-types) for more information. Use the `Convex ` prefix (e.g., `Convex <deploy_key>`)."
+      },
+      "OAuth Project Token": {
+        "type": "apiKey",
+        "in": "header",
+        "name": "Authorization",
+        "description": "Obtained through a [Convex OAuth application](https://docs.convex.dev/management-api) with project scope. Use the `Convex ` prefix (e.g., `Convex <oauth_project_token>`)."
+      },
+      "OAuth Team Token": {
+        "type": "apiKey",
+        "in": "header",
+        "name": "Authorization",
+        "description": "Obtained through a [Convex OAuth application](https://docs.convex.dev/management-api). Use the `Convex ` prefix (e.g., `Convex <oauth_token>`)."
+      },
+      "Team Token": {
+        "type": "apiKey",
+        "in": "header",
+        "name": "Authorization",
+        "description": "Created in the dashboard under team settings for any team you can manage. Use the `Convex ` prefix (e.g., `Convex <team_token>`)."
+      }
     }
   }
 }

npm-packages/@convex-dev/platform/management-openapi.json

@@ -56,7 +56,9 @@
         },
         "security": [
           {
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
           }
         ]
@@ -95,7 +97,9 @@
         },
         "security": [
           {
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Tokens": []
           }
         ]
@@ -134,9 +138,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }
@@ -164,7 +172,9 @@
         },
         "security": [
           {
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
           }
         ]
@@ -207,9 +217,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }
@@ -233,9 +247,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }
@@ -269,9 +287,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }
@@ -306,9 +328,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }
@@ -340,9 +366,13 @@
         },
         "security": [
           {
-            "OAuth Project Token": [],
-            "OAuth Team Token": [],
+            "OAuth Team Token": []
+          },
+          {
             "Team Token": []
+          },
+          {
+            "OAuth Project Token": []
           }
         ]
       }