Add support for Authentication-only Backend API Keys (#580)

This PR adds support for a new `authentication_only` column on Backend
API Keys. When this value is `true`, the auth interceptor for the
Backend API service will enforce that only the `AuthenticateAPIKey` RPC
can be called. All other requests will receive a permission denied
response.

It also adds the supporting CRUD to the backend store and console to
make this work holistically.

This has been tested and is working locally.

<img width="545" height="413" alt="Screenshot 2025-09-10 at 10 02 30 AM"
src="https://github.com/user-attachments/assets/adb0ddae-e20d-47d9-bd6c-06f670222e38"
/>
<img width="1571" height="701" alt="Screenshot 2025-09-10 at 10 02
37 AM"
src="https://github.com/user-attachments/assets/c8791988-f209-40c0-9fb0-b088b6100537"
/>

Author: blakeofwilliam

cmd/tesseralctl/migrations/000095_authentication_only_backend_api_keys.down.sql

@@ -0,0 +1,2 @@
+alter table backend_api_keys
+  add column authentication_only boolean not null default false;

cmd/tesseralctl/migrations/000095_authentication_only_backend_api_keys.up.sql

@@ -40,6 +40,7 @@ import {
   FormMessage,
 } from "@/components/ui/form";
 import { Input } from "@/components/ui/input";
+import { Switch } from "@/components/ui/switch";
 import {
   deleteBackendAPIKey,
   getBackendAPIKey,
@@ -48,6 +49,7 @@ import {
 
 const schema = z.object({
   displayName: z.string().min(1, "Display name is required"),
+  authenticationOnly: z.boolean(),
 });
 
 export function BackendApiKeyPage() {
@@ -65,6 +67,8 @@ export function BackendApiKeyPage() {
     resolver: zodResolver(schema),
     defaultValues: {
       displayName: getBackendApiKeyResponse?.backendApiKey?.displayName || "",
+      authenticationOnly:
+        getBackendApiKeyResponse?.backendApiKey?.authenticationOnly || false,
     },
   });
 
@@ -73,6 +77,7 @@ export function BackendApiKeyPage() {
       id: backendApiKeyId,
       backendApiKey: {
         displayName: data.displayName,
+        authenticationOnly: data.authenticationOnly,
       },
     });
     await refetch();
@@ -82,6 +87,8 @@ export function BackendApiKeyPage() {
   useEffect(() => {
     form.reset({
       displayName: getBackendApiKeyResponse?.backendApiKey?.displayName || "",
+      authenticationOnly:
+        getBackendApiKeyResponse?.backendApiKey?.authenticationOnly || false,
     });
   }, [getBackendApiKeyResponse, form]);
 
@@ -174,6 +181,26 @@ export function BackendApiKeyPage() {
                   </FormItem>
                 )}
               />
+              <FormField
+                control={form.control}
+                name="authenticationOnly"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Authentication Only</FormLabel>
+                    <FormDescription>
+                      If enabled, this API key can only be used for
+                      authentication.
+                    </FormDescription>
+                    <FormMessage />
+                    <FormControl>
+                      <Switch
+                        checked={field.value}
+                        onCheckedChange={field.onChange}
+                      />
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
             </CardContent>
           </Card>
         </form>

console/src/gen/tesseral/backend/v1/models_pb.ts

@@ -77,6 +77,7 @@ import {
   HoverCardTrigger,
 } from "@/components/ui/hover-card";
 import { Input } from "@/components/ui/input";
+import { Switch } from "@/components/ui/switch";
 import {
   Table,
   TableBody,
@@ -216,6 +217,7 @@ export function ListBackendApiKeysCard() {
                             </HoverCard>
                           </div>
                         </TableHead>
+                        <TableHead>Type</TableHead>
                         <TableHead>Status</TableHead>
                         <TableHead>Created</TableHead>
                         <TableHead className="text-right">Actions</TableHead>
@@ -238,6 +240,15 @@ export function ListBackendApiKeysCard() {
                               label="Backend API Key ID"
                             />
                           </TableCell>
+                          <TableCell>
+                            {key.authenticationOnly ? (
+                              <Badge variant="secondary">
+                                Authentication Only
+                              </Badge>
+                            ) : (
+                              <Badge>Full Access</Badge>
+                            )}
+                          </TableCell>
                           <TableCell>
                             {key.revoked ? (
                               <Badge variant="secondary">Revoked</Badge>
@@ -418,6 +429,7 @@ function ManageBackendApiKeyButton({
 
 const schema = z.object({
   displayName: z.string().min(1, "Display name is required"),
+  authenticationOnly: z.boolean(),
 });
 
 function CreateBackendApiKeyButton() {
@@ -441,6 +453,7 @@ function CreateBackendApiKeyButton() {
     resolver: zodResolver(schema),
     defaultValues: {
       displayName: "",
+      authenticationOnly: false,
     },
   });
 
@@ -463,6 +476,7 @@ function CreateBackendApiKeyButton() {
     const { backendApiKey } = await createBackendApiKeyMutation.mutateAsync({
       backendApiKey: {
         displayName: data.displayName,
+        authenticationOnly: data.authenticationOnly,
       },
     });
     if (backendApiKey) {
@@ -513,6 +527,26 @@ function CreateBackendApiKeyButton() {
                     </FormItem>
                   )}
                 />
+                <FormField
+                  control={form.control}
+                  name="authenticationOnly"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Authentication Only</FormLabel>
+                      <FormDescription>
+                        If enabled, this API key can only be used for
+                        authentication.
+                      </FormDescription>
+                      <FormMessage />
+                      <FormControl>
+                        <Switch
+                          checked={field.value}
+                          onCheckedChange={field.onChange}
+                        />
+                      </FormControl>
+                    </FormItem>
+                  )}
+                />
               </div>
               <DialogFooter className="mt-8">
                 <Button variant="outline" onClick={handleCancel}>

console/src/pages/console/settings/api-keys/backend-api-keys/BackendApiKeyPage.tsx

@@ -20,6 +20,10 @@ var skipRPCs = []string{
 	"/tesseral.backend.v1.BackendService/ConsoleGetConfiguration",
 }
 
+var authenticationRPCs = []string{
+	"/tesseral.backend.v1.BackendService/AuthenticateAPIKey",
+}
+
 var errAuthorizationHeaderRequired = errors.New("authorization header is required")
 
 var tracer = otel.Tracer("github.com/tesseral-labs/tesseral/internal/backend/authn/interceptor")
@@ -59,6 +63,10 @@ func New(s *store.Store, consoleProjectID string) connect.UnaryInterceptorFunc {
 					return nil, fmt.Errorf("authenticate project api key: %w", err)
 				}
 
+				if res.AuthenticationOnly && !reqContainsAllowedRPC(req, authenticationRPCs) {
+					return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+				}
+
 				ctx = authn.NewBackendAPIKeyContext(ctx, &authn.BackendAPIKeyContextData{
 					BackendAPIKeyID: res.BackendAPIKeyID,
 					ProjectID:       res.ProjectID,
@@ -140,3 +148,12 @@ func authenticateAccessToken(ctx context.Context, s *store.Store, consoleProject
 		ProjectID: projectID,
 	}, nil
 }
+
+func reqContainsAllowedRPC(req connect.AnyRequest, allowedRPCs []string) bool {
+	for _, rpc := range allowedRPCs {
+		if rpc == req.Spec().Procedure {
+			return true
+		}
+	}
+	return false
+}