feat: add API key authentication for Copilot API endpoints

[yunaamelia]

Summary

Add multi-key API key authentication to protect Copilot API endpoints from unauthorized access.

Features

• API Key Authentication: Validates requests using Bearer token or x-api-key header
• Multi-Key Support: Parse keys from COPILOT_API_KEY or COPILOT_API_KEYS env var
• Secure Comparison: Constant-time string comparison to prevent timing attacks
• Path Bypass: Health check endpoints (/, /health) bypass authentication
• CLI Integration: --api-key and --no-auth flags for flexibility
• Test Coverage: 27 comprehensive tests (100% coverage for new code)

Security

• No hardcoded secrets
• Constant-time key comparison
• Generic error messages (no key hints)
• Support for key rotation via multiple keys

Usage Examples

# With environment variable
export COPILOT_API_KEYS="key1,key2,key3,key4"
npx copilot-api@latest start

# With CLI flag
npx copilot-api@latest start --api-key "your-key"

# Local development (no auth)
npx copilot-api@latest start --no-auth

Making Requests

# With Authorization header
curl http://localhost:4141/v1/models \
  -H "Authorization: Bearer your-api-key"

# With x-api-key header
curl http://localhost:4141/v1/models \
  -H "x-api-key: your-api-key"

Files Changed

Added:

• src/lib/auth-config.ts - Auth config & env parsing
• src/lib/auth-middleware.ts - Hono middleware
• tests/auth-config.test.ts - Config tests
• tests/auth-middleware.test.ts - Middleware tests

Modified:

• src/lib/state.ts - Add auth fields
• src/start.ts - Add CLI args
• src/server.ts - Apply middleware
• README.md - Add auth docs

Removed:

• src/routes/token/route.ts - Security risk (exposed token)

Testing

All 27 tests pass with 100% coverage:

• 4 parsing tests
• 3 config tests
• 4 security tests
• 6 validation tests
• 5 path bypass tests
• 17 integration tests

✅ Validated with 4 environment API keys

[Copilot]

Pull request overview

Adds API-key based authentication to the Copilot API proxy so endpoints can be protected from unauthorized access, with CLI/env configuration and associated tests/docs.

Changes:

• Introduces auth configuration parsing (COPILOT_API_KEY / COPILOT_API_KEYS) and wires it into global state + CLI flags (--api-key, --no-auth).
• Adds Hono middleware to enforce API key auth (with bypass for / and /health) and applies it to the server.
• Removes the /token route and adds tests/documentation for the new auth behavior.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
src/lib/auth-config.ts	Parses/validates auth config from env + CLI and computes authEnabled.
src/lib/auth-middleware.ts	Implements API key extraction/validation and skip-path handling as Hono middleware.
src/lib/state.ts	Extends global state with auth-related fields.
src/start.ts	Adds CLI args + initializes auth state; updates Claude Code env generation token behavior.
src/server.ts	Registers auth middleware; adds /health; removes /token route wiring.
src/routes/token/route.ts	Removes token-exposing endpoint implementation.
tests/auth-config.test.ts	Adds unit tests for env parsing and config composition.
tests/auth-middleware.test.ts	Adds unit/integration-style tests for middleware and helpers.
tests/integration-auth.test.ts	Adds integration test intended to validate env-key configuration end-to-end.
README.md	Documents API-key authentication + new CLI options; removes /token endpoint mention.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This integration test relies on external CI/local environment state (it never sets COPILOT_API_KEYS/COPILOT_API_KEY, yet asserts there are 4 keys). That makes it non-hermetic and will fail for contributors/CI runs without those env vars. Set the env vars within the test (and restore them after) so the test is self-contained.

[Copilot]

Avoid writing to stdout from tests (the console.log in beforeAll adds noise and can slow down CI). If you need debug output, gate it behind an environment flag or remove it entirely.

Suggested change

	console.log(
	`\nConfigured ${state.apiKeys.length} API keys from environment`,
	)

[Copilot]

This file mutates the global singleton state in beforeAll and never restores it. If tests are executed in the same process, this can leak auth settings into other test files and make ordering affect results. Add an afterAll (or use beforeEach) to reset state back to defaults.

[Copilot]

Reassigning process.env can behave unexpectedly (it’s a special object in Node/Bun) and can drop inherited properties, breaking other tests. Prefer restoring only the specific keys you changed (save prior values, then set/delete COPILOT_API_KEY(S) in afterEach) rather than replacing the entire env object.

[Copilot]

Same issue here: reassigning process.env in test teardown can cause cross-test side effects. Restore only the environment variables touched by this describe block instead of overwriting process.env wholesale.

[Copilot]

Failing open when authEnabled is true but apiKeys is empty creates a security footgun: any misconfiguration or future regression that sets authEnabled without keys will silently allow all requests. Prefer failing closed (return 500 or 401) so the server doesn’t become unintentionally public.

Suggested change

	// No keys configured but auth enabled - this shouldn't happen
	// but we'll allow the request through with a warning
	consola.warn("Auth enabled but no API keys configured")
	await next()
	return
	// No keys configured while auth is enabled: fail closed
	consola.error("Auth enabled but no API keys configured")
	return c.json(
	{
	error: {
	message: "Authentication is misconfigured",
	type: "server_error",
	},
	},
	500,
	)

[Copilot]

When --no-auth is used (or no keys are configured), this still injects the first configured API key into the generated Claude Code command. That can leak a real secret into clipboard/terminal history even though the server isn’t requiring it. Consider only setting ANTHROPIC_AUTH_TOKEN to an API key when state.authEnabled is true; otherwise keep using a dummy value or omit it.

Suggested change

	ANTHROPIC_AUTH_TOKEN: state.apiKeys[0] ?? "dummy",
	ANTHROPIC_AUTH_TOKEN: state.authEnabled
	? (state.apiKeys[0] ?? "dummy")
	: "dummy",

[Copilot]

With API-key auth enabled, the hosted Usage Viewer will receive 401s because it fetches /usage without sending an API key. Consider documenting this in the new Authentication section (e.g., note that the viewer requires --no-auth, or add guidance on supplying an API key when using the viewer).

Suggested change

	### Usage Viewer and Authentication
	The hosted Usage Viewer fetches `/usage`. If API-key authentication is enabled on this proxy and the viewer does not send your API key, those requests will fail with `401 Unauthorized`.
	When using the hosted Usage Viewer, either:
	- start the proxy with `--no-auth`, or
	- configure the viewer/client to send your API key using either `Authorization: Bearer your-secret-api-key` or `x-api-key: your-secret-api-key`.

[Copilot]

The --no-auth row appears to have misaligned spacing in the options table (extra spaces before the final |). This can render oddly in Markdown tables—please align the columns consistently with the surrounding rows.

Suggested change

	| --no-auth | Disable authentication (for local development only) | false | none |
	| --no-auth | Disable authentication (for local development only) | false | none |

[Copilot]

This test codifies a fail-open behavior (auth enabled + no keys => allow). If the middleware is updated to fail closed for safety, this test should be updated to assert the new behavior (e.g., 500 or 401) so misconfiguration can’t silently expose endpoints.