Remove SUPER_API_KEY support

Merge branch 'main' into demo-mode
Status API response: needsSetup
2026-04-06 08:41:57 +02:00 · 2025-09-03 16:28:40 +03:00 · 2025-09-03 14:45:19 +03:00 · 2025-09-03 14:44:50 +03:00 · 2025-09-01 13:29:02 +03:00
5 changed files with 7 additions and 29 deletions
--- a/.env.example
+++ b/.env.example
@@ -59,8 +59,6 @@ STORAGE_S3_FORCE_PATH_STYLE=false
 JWT_SECRET=a-very-secret-key-that-you-should-change
 JWT_EXPIRES_IN="7d"

-# Set the credentials for the initial admin user.
-SUPER_API_KEY=

 # Master Encryption Key for sensitive data (Such as Ingestion source credentials and passwords)
 # IMPORTANT: Generate a secure, random 32-byte hex string for this
--- a/docs/api/authentication.md
+++ b/docs/api/authentication.md
@@ -43,18 +43,3 @@ Authorization: Bearer your.jwt.token
 ```

 If the token is missing, expired, or invalid, the API will respond with a `401 Unauthorized` status code.
-
-## Using a Super API Key
-
-Alternatively, for server-to-server communication or scripts, you can use a super API key. This key provides unrestricted access to the API and should be kept secret.
-
-You can set the `SUPER_API_KEY` in your `.env` file.
-
-To authenticate using the super API key, include it in the `Authorization` header as a Bearer token.
-
-**Example:**
-
-```http
-GET /api/v1/dashboard/stats
-Authorization: Bearer your-super-secret-api-key
-```
--- a/docs/user-guides/installation.md
+++ b/docs/user-guides/installation.md
@@ -105,12 +105,12 @@ These variables are used by `docker-compose.yml` to configure the services.

 #### Security & Authentication

-| Variable         | Description                                                         | Default Value                              |
-| ---------------- | ------------------------------------------------------------------- | ------------------------------------------ |
-| `JWT_SECRET`     | A secret key for signing JWT tokens.                                | `a-very-secret-key-that-you-should-change` |
-| `JWT_EXPIRES_IN` | The expiration time for JWT tokens.                                 | `7d`                                       |
-| `SUPER_API_KEY`  | An API key with super admin privileges.                             |                                            |
-| `ENCRYPTION_KEY` | A 32-byte hex string for encrypting sensitive data in the database. |                                            |
+| Variable                         | Description                                                                                                                                    | Default Value                              |
+| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| `JWT_SECRET`                     | A secret key for signing JWT tokens.                                                                                                           | `a-very-secret-key-that-you-should-change` |
+| `JWT_EXPIRES_IN`                 | The expiration time for JWT tokens.                                                                                                            | `7d`                                       |
+| ~~`SUPER_API_KEY`~~ (Deprecated) | An API key with super admin privileges. (The SUPER_API_KEY is deprecated since v0.3.0 after we roll out the role-based access control system.) |                                            |
+| `ENCRYPTION_KEY`                 | A 32-byte hex string for encrypting sensitive data in the database.                                                                            |                                            |

 ## 3. Run the Application

--- a/packages/backend/src/api/controllers/auth.controller.ts
+++ b/packages/backend/src/api/controllers/auth.controller.ts
@@ -121,7 +121,7 @@ export class AuthController {
 				);
 				return res.status(200).json({ needsSetup: false });
 			}
-			return res.status(200).json({ needsSetupUser });
+			return res.status(200).json({ needsSetup: needsSetupUser });
 		} catch (error) {
 			console.error('Status check error:', error);
 			return res.status(500).json({ message: req.t('errors.internalServerError') });
--- a/packages/backend/src/api/middleware/requireAuth.ts
+++ b/packages/backend/src/api/middleware/requireAuth.ts
@@ -20,11 +20,6 @@ export const requireAuth = (authService: AuthService) => {
 		}
 		const token = authHeader.split(' ')[1];
 		try {
-			// use a SUPER_API_KEY for all authentications. add process.env.SUPER_API_KEY conditional check in case user didn't set a SUPER_API_KEY.
-			if (process.env.SUPER_API_KEY && token === process.env.SUPER_API_KEY) {
-				next();
-				return;
-			}
 			const payload = await authService.verifyToken(token);
 			if (!payload) {
 				return res.status(401).json({ message: 'Unauthorized: Invalid token' });
Author	SHA1	Message	Date
Wayne	9a3bc8e464	Remove SUPER_API_KEY support	2025-09-03 16:28:40 +03:00
Wayne	927bb61446	Merge branch 'main' into demo-mode	2025-09-03 14:45:19 +03:00
Wayne	4c0ab37ada	Status API response: needsSetup	2025-09-03 14:44:50 +03:00
Wayne	fbff3059c9	Disable system settings for demo mode	2025-09-01 13:29:02 +03:00