add ingest only keys (#1012)

* add ingest only keys

* fix metrics to allow ingestion only keys

* fix migration

* fix types

* loading state on dialog

* fix build

* close /v1/tag from ingest-only keys

* upd message, add claude 4.5

Author: dinmukhamedm

app-server/src/api/v1/metrics.rs

@@ -1,8 +1,9 @@
-use actix_web::{post, HttpRequest, HttpResponse};
+use actix_web::{HttpRequest, HttpResponse, post};
 
 use crate::routes::types::ResponseResult;
 
-#[post("metrics")]
+// /v1/metrics
+#[post("")]
 pub async fn process_metrics(req: HttpRequest) -> ResponseResult {
     // This is a placeholder that just returns ok, so that client otel exporters
     // don't fail when trying to send metrics to the server.

app-server/src/api/v1/tag.rs

@@ -37,7 +37,8 @@ pub enum TagRequest {
     WithSpanId(TagRequestWithSpanId),
 }
 
-#[post("tag")]
+// /v1/tag
+#[post("")]
 pub async fn tag_trace(
     req: Json<TagRequest>,
     clickhouse: web::Data<clickhouse::Client>,

app-server/src/api/v1/traces.rs

@@ -20,7 +20,8 @@ pub struct RabbitMqSpanMessage {
     pub events: Vec<Event>,
 }
 
-#[post("traces")]
+// /v1/traces
+#[post("")]
 pub async fn process_traces(
     req: HttpRequest,
     body: Bytes,

app-server/src/auth/mod.rs

@@ -26,9 +26,10 @@ impl FromRequest for ProjectApiKey {
     }
 }
 
-pub async fn project_validator(
+async fn validate_project_api_key(
     req: ServiceRequest,
     credentials: BearerAuth,
+    allow_ingest_only: bool,
 ) -> Result<ServiceRequest, (Error, ServiceRequest)> {
     let config = req
         .app_data::<Config>()
@@ -48,6 +49,19 @@ pub async fn project_validator(
 
     match get_api_key_from_raw_value(&db.pool, cache, credentials.token().to_string()).await {
         Ok(api_key) => {
+            // Check if ingest-only keys are allowed for this endpoint
+            if !allow_ingest_only && api_key.is_ingest_only {
+                log::warn!(
+                    "Ingest-only API key attempted to access restricted endpoint: project_id={}",
+                    api_key.project_id
+                );
+                // Return a blank 404 to match default actix web behavior
+                let response = actix_web::HttpResponse::NotFound().finish();
+                return Err((
+                    actix_web::error::InternalError::from_response("", response).into(),
+                    req,
+                ));
+            }
             req.extensions_mut().insert(api_key);
             Ok(req)
         }
@@ -57,3 +71,19 @@ pub async fn project_validator(
         }
     }
 }
+
+/// Standard project validator - blocks ingest-only keys
+pub async fn project_validator(
+    req: ServiceRequest,
+    credentials: BearerAuth,
+) -> Result<ServiceRequest, (Error, ServiceRequest)> {
+    validate_project_api_key(req, credentials, false).await
+}
+
+/// Ingestion validator - allows ingest-only keys for trace ingestion endpoints
+pub async fn project_ingestion_validator(
+    req: ServiceRequest,
+    credentials: BearerAuth,
+) -> Result<ServiceRequest, (Error, ServiceRequest)> {
+    validate_project_api_key(req, credentials, true).await
+}

app-server/src/db/project_api_keys.rs

@@ -10,6 +10,7 @@ pub struct ProjectApiKey {
     pub name: Option<String>,
     pub hash: String,
     pub shorthand: String,
+    pub is_ingest_only: bool,
 }
 
 pub async fn get_api_key(pool: &PgPool, hash: &String) -> Result<ProjectApiKey> {
@@ -19,7 +20,8 @@ pub async fn get_api_key(pool: &PgPool, hash: &String) -> Result<ProjectApiKey>
             project_api_keys.project_id,
             project_api_keys.name,
             project_api_keys.id,
-            project_api_keys.shorthand
+            project_api_keys.shorthand,
+            project_api_keys.is_ingest_only
         FROM
             project_api_keys
         WHERE

app-server/src/main.rs

@@ -745,6 +745,8 @@ fn main() -> anyhow::Result<()> {
                     log::info!("Spinning up full HTTP server");
                     HttpServer::new(move || {
                         let project_auth = HttpAuthentication::bearer(auth::project_validator);
+                        let project_ingestion_auth =
+                            HttpAuthentication::bearer(auth::project_ingestion_validator);
 
                         App::new()
                             .wrap(ErrorHandlers::new().handler(
@@ -768,27 +770,40 @@ fn main() -> anyhow::Result<()> {
                             .app_data(web::Data::new(connection_for_health.clone()))
                             .app_data(web::Data::new(query_engine.clone()))
                             .app_data(web::Data::new(sse_connections_for_http.clone()))
+                            // Ingestion endpoints allow both default and ingest-only keys
                             .service(
                                 web::scope("/v1/browser-sessions").service(
                                     web::scope("")
-                                        .wrap(project_auth.clone())
+                                        .wrap(project_ingestion_auth.clone())
                                         .service(api::v1::browser_sessions::create_session_event),
                                 ),
                             )
+                            .service(
+                                web::scope("/v1/traces")
+                                    .wrap(project_ingestion_auth.clone())
+                                    .service(api::v1::traces::process_traces),
+                            )
+                            .service(
+                                web::scope("/v1/metrics")
+                                    .wrap(project_ingestion_auth.clone())
+                                    .service(api::v1::metrics::process_metrics),
+                            )
+                            // Default endpoints block ingest-only keys
+                            .service(
+                                web::scope("/v1/tag")
+                                    .wrap(project_auth.clone())
+                                    .service(api::v1::tag::tag_trace),
+                            )
                             .service(
                                 web::scope("/v1")
                                     .wrap(project_auth.clone())
-                                    .service(api::v1::traces::process_traces)
                                     .service(api::v1::datasets::get_datapoints)
                                     .service(api::v1::datasets::create_datapoints)
                                     .service(api::v1::datasets::get_parquet)
-                                    .service(api::v1::metrics::process_metrics)
-                                    .service(api::v1::browser_sessions::create_session_event)
                                     .service(api::v1::evals::init_eval)
                                     .service(api::v1::evals::save_eval_datapoints)
                                     .service(api::v1::evals::update_eval_datapoint)
                                     .service(api::v1::evaluators::create_evaluator_score)
-                                    .service(api::v1::tag::tag_trace)
                                     .service(api::v1::sql::execute_sql_query)
                                     .service(api::v1::payloads::get_payload),
                             )

app-server/src/traces/grpc_service.rs

@@ -82,6 +82,9 @@ impl TraceService for ProcessTracesService {
     }
 }
 
+/// Authenticates gRPC trace ingestion requests.
+/// Note: This endpoint accepts both default and ingest-only API keys,
+/// as it's used for writing trace data to the project.
 async fn authenticate_request(
     metadata: &tonic::metadata::MetadataMap,
     pool: &PgPool,

frontend/app/api/projects/[projectId]/api-keys/route.ts

@@ -1,5 +1,5 @@
 import { type NextRequest } from 'next/server';
-import { prettifyError,ZodError } from 'zod/v4';
+import { prettifyError, ZodError } from 'zod/v4';
 
 import { createApiKey, deleteApiKey, getApiKeys } from '@/lib/actions/project-api-keys';
 
@@ -15,6 +15,7 @@ export async function POST(
     const result = await createApiKey({
       projectId: params.projectId,
       name: body.name,
+      isIngestOnly: body.isIngestOnly,
     });
 
     return new Response(JSON.stringify(result), {

frontend/components/playground/types.ts

@@ -121,16 +121,16 @@ export const providers: { provider: Provider; models: LanguageModel[] }[] = [
         name: "claude-3-opus-20240229",
         label: "Claude 3 Opus",
       },
-      {
-        id: "anthropic:claude-3-5-sonnet-20241022",
-        name: "claude-3-5-sonnet-20241022",
-        label: "Claude 3.5 Sonnet",
-      },
       {
         id: "anthropic:claude-3-5-haiku-20241022",
         name: "claude-3-5-haiku-20241022",
         label: "Claude 3.5 Haiku",
       },
+      {
+        id: "anthropic:claude-3-5-sonnet-20241022",
+        name: "claude-3-5-sonnet-20241022",
+        label: "Claude 3.5 Sonnet",
+      },
       {
         id: "anthropic:claude-3-7-sonnet-20250219",
         name: "claude-3-7-sonnet-20250219",
@@ -146,6 +146,21 @@ export const providers: { provider: Provider; models: LanguageModel[] }[] = [
         name: "claude-opus-4-20250514",
         label: "Claude 4 Opus",
       },
+      {
+        id: "anthropic:claude-opus-4-1-20250805",
+        name: "claude-opus-4-1-20250805",
+        label: "Claude 4.1 Opus",
+      },
+      {
+        id: "anthropic:claude-haiku-4-5-20251001",
+        name: "claude-haiku-4-5-20251001",
+        label: "Claude 4.5 Haiku",
+      },
+      {
+        id: "anthropic:claude-sonnet-4-5-20250929",
+        name: "claude-sonnet-4-5-20250929",
+        label: "Claude 4.5 Sonnet",
+      },
     ],
   },
   {

frontend/components/settings/project-api-keys/display-key-dialog-content.tsx

@@ -0,0 +1,34 @@
+import { GenerateProjectApiKeyResponse } from "@/lib/api-keys/types";
+
+import { Button } from "../../ui/button";
+import { CopyButton } from "../../ui/copy-button";
+import { DialogFooter } from "../../ui/dialog";
+import { Input } from "../../ui/input";
+
+interface DisplayKeyDialogContentProps {
+  apiKey: GenerateProjectApiKeyResponse;
+  onClose?: () => void;
+}
+
+export function DisplayKeyDialogContent({ apiKey, onClose }: DisplayKeyDialogContentProps) {
+  return (
+    <>
+      <div className="flex flex-col space-y-2">
+        <p className="text-secondary-foreground text-sm">
+          {" "}
+          For security reasons, you will not be able to see this key again. Make sure to copy and save it somewhere
+          safe.{" "}
+        </p>
+        <div className="flex gap-x-2">
+          <Input className="flex text-sm" value={apiKey.value} readOnly />
+          <CopyButton size="icon" className="min-w-8 h-8" text={apiKey.value} />
+        </div>
+      </div>
+      <DialogFooter>
+        <Button onClick={onClose} handleEnter variant="secondary">
+          Close
+        </Button>
+      </DialogFooter>
+    </>
+  );
+}