coder · ThomasK33 · Jul 19, 2025
diff --git a/.claude/notes/token-scopes.md b/.claude/notes/token-scopes.md
diff --git a/cli/exp_scaletest.go b/cli/exp_scaletest.go
@@ -1232,7 +1232,7 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
 				name := fmt.Sprintf("dashboard-%s", usr.Username)
 				userTokResp, err := client.CreateToken(ctx, usr.ID.String(), codersdk.CreateTokenRequest{
 					Lifetime:  30 * 24 * time.Hour,
-					Scope:     "",
+					Scopes:    []codersdk.APIKeyScope{codersdk.APIKeyScopeAll},
 					TokenName: fmt.Sprintf("scaletest-%d", time.Now().Unix()),
 				})
 				if err != nil {

diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -24,6 +24,15 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )
 
+// convertAPIKeyScopesToDatabase converts SDK API key scopes to database API key scopes
+func convertAPIKeyScopesToDatabase(scopes []codersdk.APIKeyScope) []database.APIKeyScope {
+	dbScopes := make([]database.APIKeyScope, 0, len(scopes))
+	for _, scope := range scopes {
+		dbScopes = append(dbScopes, database.APIKeyScope(scope))
+	}
+	return dbScopes
+}
+
 // Creates a new token API key with the given scope and lifetime.
 //
 // @Summary Create token API key
@@ -56,9 +65,10 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	scope := database.APIKeyScopeAll
-	if scope != "" {
-		scope = database.APIKeyScope(createToken.Scope)
+	// Use the scopes from the request, or default to 'all' if empty
+	scopes := createToken.Scopes
+	if len(scopes) == 0 {
+		scopes = []codersdk.APIKeyScope{codersdk.APIKeyScopeAll}
 	}
 
 	tokenName := namesgenerator.GetRandomName(1)
@@ -71,7 +81,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
-		Scope:           scope,
+		Scopes:          convertAPIKeyScopesToDatabase(scopes), // New scopes array
 		TokenName:       tokenName,
 	}
 
@@ -380,7 +390,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, userID uuid.UUID, li
 // getMaxTokenLifetime returns the maximum allowed token lifetime for a user.
 // It distinguishes between regular users and owners.
 func (api *API) getMaxTokenLifetime(ctx context.Context, userID uuid.UUID) (time.Duration, error) {
-	subject, _, err := httpmw.UserRBACSubject(ctx, api.Database, userID, rbac.ScopeAll)
+	subject, _, err := httpmw.UserRBACSubject(ctx, api.Database, userID, []rbac.ExpandableScope{rbac.ScopeAll})
 	if err != nil {
 		return 0, xerrors.Errorf("failed to get user rbac subject: %w", err)
 	}

diff --git a/coderd/apikey/apikey.go b/coderd/apikey/apikey.go
@@ -25,7 +25,8 @@ type CreateParams struct {
 	// Optional.
 	ExpiresAt       time.Time
 	LifetimeSeconds int64
-	Scope           database.APIKeyScope
+	Scope           database.APIKeyScope   // Legacy single scope (for backward compatibility)
+	Scopes          []database.APIKeyScope // New scopes array
 	TokenName       string
 	RemoteAddr      string
 }
@@ -62,14 +63,24 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 
 	bitlen := len(ip) * 8
 
-	scope := database.APIKeyScopeAll
-	if params.Scope != "" {
-		scope = params.Scope
+	// Determine scopes - prioritize Scopes array, fallback to legacy Scope
+	var scopes []database.APIKeyScope
+	if len(params.Scopes) > 0 {
+		scopes = params.Scopes
+	} else {
+		// Fallback to legacy single scope
+		scope := database.APIKeyScopeAll
+		if params.Scope != "" {
+			scope = params.Scope
+		}
+		scopes = []database.APIKeyScope{scope}
 	}
-	switch scope {
-	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
-	default:
-		return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
+
+	// Validate all scopes
+	for _, scope := range scopes {
+		if !scope.Valid() {
+			return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
+		}
 	}
 
 	token := fmt.Sprintf("%s-%s", keyID, keySecret)
@@ -92,7 +103,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 		UpdatedAt:    dbtime.Now(),
 		HashedSecret: hashed[:],
 		LoginType:    params.LoginType,
-		Scope:        scope,
+		Scopes:       scopes, // New scopes array
 		TokenName:    params.TokenName,
 	}, token, nil
 }

diff --git a/coderd/apikey/apikey_test.go b/coderd/apikey/apikey_test.go
@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {
 				LifetimeSeconds: int64(time.Hour.Seconds()),
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
-				Scope:           database.APIKeyScopeApplicationConnect,
+				Scopes:          []database.APIKeyScope{database.APIKeyScopeApplicationConnect},
 			},
 		},
 		{
@@ -48,7 +48,7 @@ func TestGenerate(t *testing.T) {
 				LifetimeSeconds: int64(time.Hour.Seconds()),
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
-				Scope:           database.APIKeyScope("test"),
+				Scopes:          []database.APIKeyScope{database.APIKeyScope("test")},
 			},
 			fail: true,
 		},
@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {
 				ExpiresAt:       time.Time{},
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
-				Scope:           database.APIKeyScopeApplicationConnect,
+				Scopes:          []database.APIKeyScope{database.APIKeyScopeApplicationConnect},
 			},
 		},
 		{
@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {
 				ExpiresAt:       time.Time{},
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
-				Scope:           database.APIKeyScopeApplicationConnect,
+				Scopes:          []database.APIKeyScope{database.APIKeyScopeApplicationConnect},
 			},
 		},
 		{
@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {
 				LifetimeSeconds: int64(time.Hour.Seconds()),
 				TokenName:       "hello",
 				RemoteAddr:      "",
-				Scope:           database.APIKeyScopeApplicationConnect,
+				Scopes:          []database.APIKeyScope{database.APIKeyScopeApplicationConnect},
 			},
 		},
 		{
@@ -101,7 +101,7 @@ func TestGenerate(t *testing.T) {
 				LifetimeSeconds: int64(time.Hour.Seconds()),
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
-				Scope:           "",
+				Scopes:          []database.APIKeyScope{},
 			},
 		},
 	}
@@ -158,10 +158,10 @@ func TestGenerate(t *testing.T) {
 				assert.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
 			}
 
-			if tc.params.Scope != "" {
-				assert.Equal(t, tc.params.Scope, key.Scope)
+			if len(tc.params.Scopes) > 0 {
+				assert.Equal(t, tc.params.Scopes, key.Scopes)
 			} else {
-				assert.Equal(t, database.APIKeyScopeAll, key.Scope)
+				assert.Equal(t, []database.APIKeyScope{database.APIKeyScopeAll}, key.Scopes)
 			}
 
 			if tc.params.TokenName != "" {

diff --git a/coderd/apikey_test.go b/coderd/apikey_test.go
@@ -47,7 +47,7 @@ func TestTokenCRUD(t *testing.T) {
 	// expires_at should default to 30 days
 	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*24*6))
 	require.Less(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*24*8))
-	require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+	require.Equal(t, []codersdk.APIKeyScope{codersdk.APIKeyScopeAll}, keys[0].Scopes)
 
 	// no update
 
@@ -73,7 +73,7 @@ func TestTokenScoped(t *testing.T) {
 	_ = coderdtest.CreateFirstUser(t, client)
 
 	res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-		Scope: codersdk.APIKeyScopeApplicationConnect,
+		Scopes: []codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect},
 	})
 	require.NoError(t, err)
 	require.Greater(t, len(res.Key), 2)
@@ -82,7 +82,7 @@ func TestTokenScoped(t *testing.T) {
 	require.NoError(t, err)
 	require.EqualValues(t, len(keys), 1)
 	require.Contains(t, res.Key, keys[0].ID)
-	require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	require.Equal(t, []codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect}, keys[0].Scopes)
 }
 
 func TestUserSetTokenDuration(t *testing.T) {