Skip to content

OAuth-style token system #62

New issue
New issue
Open
Open
OAuth-style token system#62
@elijah629

Description

@elijah629
elijah629
opened on Nov 26, 2025

I would like to build multi-user apps on top of hackai without having to hard-code or share long-lived API keys.

Currently, creating an app like this involves something along the lines of this:

  • The app developer generates an API key tied to their own slack account
  • That single key gets embedded into the app
  • All AI traffic in that app belongs to that one key and that one user

I’m proposing an OAuth-style “app” system where third-party apps can request short-lived, per-user access tokens using slack sign-in instead of using shared API keys.

Here are the current issues I see:

  1. Privacy
    If the app uses the developer’s ai.hackclub.com API key, then:

    • All usage is tied to that single key
    • In the hackclub ai daskboard, the key owner can see the IPs of whoever used it.

  2. Key management
    The alternative is to ask every user to paste their own API key into the app, which:

    • Is annoying
    • Requires the app to store other people’s API keys securely
    • Is scary because a leak gives full access to hackai without any protection (the user can of course revoke the API key, but who says they knew it happened)

Here is my proposed solution:

  1. Apps

    • Add a way user to register an oauth app (oauth ON this app, not hack club's auth)

  2. Authorization flow

    • The third-party app redirects the user through the oauth flow
    • User signs in with Hack Club (Slack or account.hackclub.com as usual)
    • On success, ai.hackclub.com redirects back with an authorization code.

  3. Token exchange

    • The app exchanges the code for a short-lived access token:
      • POST /oauth/token{ access_token, expires_in, refresh_token? }
    • This token is:
      • Bound to the user and app

  4. Using the token

    • Instead of API keys, the app calls Hack Club AI with:
      • Authorization: Bearer <access_token>
    • The backend checks the token, identifies the user + app, and enforces scopes and rate limits.

  5. Revocation & management

    • Users can see a list of “apps connected to Hack Club AI” and revoke access per app.
    • They can also see their usage per app, and app owners can see how much usage their entire app uses across all users without dealing with others' API keys.

I’d be happy to iterate on this design or help prototype it if this sounds aligned with where we want to take hackai.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions