mirror of
https://github.com/langbot-app/LangBot.git
synced 2026-06-20 12:34:21 +00:00
Junyan Chin
e9dd584792
* feat(api): support global API key from config.yaml (api.global_api_key) Accept a config-defined global API key anywhere a web-UI key is accepted (X-API-Key / Bearer), with no login session and no DB record. Useful for automated deployments and AI agents (HTTP API + MCP). Defaults to empty (disabled); does not require the lbk_ prefix. - templates/config.yaml: add api.global_api_key with security notes - service/apikey.py: verify_api_key checks global key first (constant-time) - docs/API_KEY_AUTH.md: document the global key + security guidance - tests: cover global-key match, prefix-free, fallback-to-db, disabled * feat(mcp): expose LangBot management as an MCP server at /mcp Add an MCP (Model Context Protocol) server so external AI agents can manage a LangBot instance. Reuses the same API-key auth as the HTTP API (including the config.yaml global API key). - pkg/api/mcp/server.py: FastMCP server wrapping the service layer; 21 curated tools across system/bots/pipelines/models/knowledge/mcp-servers/skills - pkg/api/mcp/mount.py: ASGI dispatcher fronting Quart; authenticates /mcp requests with an API key, runs the streamable-HTTP session manager lifespan - controller/main.py: serve the wrapped ASGI app via hypercorn (was run_task) - web: new 'MCP' tab in the API integration dialog showing endpoint, auth, and client config; i18n for 8 locales - tests/manual/mcp_smoke.py: e2e check (401 unauth, list tools, call tools) Tool surface is intentionally curated (not all ~25 route groups) to keep the agent surface small, safe, and maintainable. Extend deliberately. * feat(skills): add in-repo skills/ as the single source of truth Migrate the agent skills + QA/e2e test harness from the (now archived) langbot-app/langbot-skills repo into LangBot/skills/, and add four new skills. Migrated: - langbot-plugin-dev, langbot-testing (e2e), langbot-env-setup, langbot-skills-maintenance, langbot-eba-adapter-dev - the bin/lbs CLI (src/, test/, scripts/, schemas/, qa-agent-docs/) New: - langbot-dev core backend + web development - langbot-deploy Docker/K8s deployment + config.yaml + global API key - langbot-mcp-ops operating the LangBot MCP server (/mcp) - langbot-space-ops operating the Space marketplace MCP server - src/cli.ts repoRoot(): recognize the skills assets root (skills.index.json + bin/lbs) so the CLI works when nested inside the LangBot repo - README.md: unified skill catalog; skills.index.json regenerated Parity with source verified: bin/lbs validate + node test suite match the source repo (only the uncommitted .lbpkg build-artifact fixture differs). * docs(agents): document agent-facing surfaces + API/MCP/skills sync rule * docs(readme): add 'Built for AI Agents' section across all locales Highlight MCP server, in-repo skills (single source of truth), AGENTS.md sync rule, and llms.txt. Cross-link LangBot Space MCP marketplace. * style(mcp): fix ruff format + prettier lint in MCP server and API panel * style(web): prettier format MCP i18n locale entries * docs(skills): note MCP instance control in dev/testing skills All development-guidance skills now point to the LangBot instance MCP server (/mcp) and the Space marketplace MCP server, reusing API keys.
7.2 KiB
7.2 KiB
API Key Authentication
LangBot now supports API key authentication for external systems to access its HTTP service API.
Managing API Keys
API keys can be managed through the web interface:
- Log in to the LangBot web interface
- Click the "API Keys" button at the bottom of the sidebar
- Create, view, copy, or delete API keys as needed
Global API Key (config.yaml)
In addition to web-UI-created keys (stored in the database, prefixed lbk_),
LangBot supports a global API key defined directly in data/config.yaml.
This is useful for automated deployments, infrastructure-as-code, and AI agents
that need API/MCP access without a login session and without creating a
database record first.
api:
port: 5300
# ...
global_api_key: 'your-strong-secret-here' # leave empty to disable
Behavior:
- When
api.global_api_keyis a non-empty string, that exact value is accepted anywhere a normal API key is accepted — theX-API-Keyheader orAuthorization: Bearer <key>— across the HTTP service API and the MCP server. - The global key does not require the
lbk_prefix; use any sufficiently strong secret. - Leave it empty (
'', the default) to disable it entirely; only database-backedlbk_keys will then be accepted. - Existing installs are unaffected until you add the key — config completion only backfills top-level keys, and the lookup is defensive when the field is absent.
Security: the global key is stored in plaintext in
config.yaml. Only enable it on trusted/internal deployments, keep the file permissions tight, always serve over HTTPS, and rotate the value if it may have leaked.
Using API Keys
Authentication Headers
Include your API key in the request header using one of these methods:
Method 1: X-API-Key header (Recommended)
X-API-Key: lbk_your_api_key_here
Method 2: Authorization Bearer token
Authorization: Bearer lbk_your_api_key_here
Available APIs
All existing LangBot APIs now support both user token and API key authentication. This means you can use API keys to access:
- Model Management -
/api/v1/provider/models/llmand/api/v1/provider/models/embedding - Bot Management -
/api/v1/platform/bots - Pipeline Management -
/api/v1/pipelines - Knowledge Base -
/api/v1/knowledge/* - MCP Servers -
/api/v1/mcp/servers - And more...
Authentication Methods
Each endpoint accepts either:
- User Token (via
Authorization: Bearer <user_jwt_token>) - for web UI and authenticated users - API Key (via
X-API-KeyorAuthorization: Bearer <api_key>) - for external services
Example: Model Management
List All LLM Models
GET /api/v1/provider/models/llm
X-API-Key: lbk_your_api_key_here
Response:
{
"code": 0,
"msg": "ok",
"data": {
"models": [
{
"uuid": "model-uuid",
"name": "GPT-4",
"description": "OpenAI GPT-4 model",
"requester": "openai-chat-completions",
"requester_config": {...},
"abilities": ["chat", "vision"],
"created_at": "2024-01-01T00:00:00",
"updated_at": "2024-01-01T00:00:00"
}
]
}
}
Create a New LLM Model
POST /api/v1/provider/models/llm
X-API-Key: lbk_your_api_key_here
Content-Type: application/json
{
"name": "My Custom Model",
"description": "Description of the model",
"requester": "openai-chat-completions",
"requester_config": {
"model": "gpt-4",
"args": {}
},
"api_keys": [
{
"name": "default",
"keys": ["sk-..."]
}
],
"abilities": ["chat"],
"extra_args": {}
}
Update an LLM Model
PUT /api/v1/provider/models/llm/{model_uuid}
X-API-Key: lbk_your_api_key_here
Content-Type: application/json
{
"name": "Updated Model Name",
"description": "Updated description",
...
}
Delete an LLM Model
DELETE /api/v1/provider/models/llm/{model_uuid}
X-API-Key: lbk_your_api_key_here
Example: Bot Management
List All Bots
GET /api/v1/platform/bots
X-API-Key: lbk_your_api_key_here
Create a New Bot
POST /api/v1/platform/bots
X-API-Key: lbk_your_api_key_here
Content-Type: application/json
{
"name": "My Bot",
"adapter": "telegram",
"config": {...}
}
Example: Pipeline Management
List All Pipelines
GET /api/v1/pipelines
X-API-Key: lbk_your_api_key_here
Create a New Pipeline
POST /api/v1/pipelines
X-API-Key: lbk_your_api_key_here
Content-Type: application/json
{
"name": "My Pipeline",
"config": {...}
}
Error Responses
401 Unauthorized
{
"code": -1,
"msg": "No valid authentication provided (user token or API key required)"
}
or
{
"code": -1,
"msg": "Invalid API key"
}
404 Not Found
{
"code": -1,
"msg": "Resource not found"
}
500 Internal Server Error
{
"code": -2,
"msg": "Error message details"
}
Security Best Practices
- Keep API keys secure: Store them securely and never commit them to version control
- Use HTTPS: Always use HTTPS in production to encrypt API key transmission
- Rotate keys regularly: Create new API keys periodically and delete old ones
- Use descriptive names: Give your API keys meaningful names to track their usage
- Delete unused keys: Remove API keys that are no longer needed
- Use X-API-Key header: Prefer using the
X-API-Keyheader for clarity
Example: Python Client
import requests
API_KEY = "lbk_your_api_key_here"
BASE_URL = "http://your-langbot-server:5300"
headers = {
"X-API-Key": API_KEY,
"Content-Type": "application/json"
}
# List all models
response = requests.get(f"{BASE_URL}/api/v1/provider/models/llm", headers=headers)
models = response.json()["data"]["models"]
print(f"Found {len(models)} models")
for model in models:
print(f"- {model['name']}: {model['description']}")
# Create a new bot
bot_data = {
"name": "My Telegram Bot",
"adapter": "telegram",
"config": {
"token": "your-telegram-token"
}
}
response = requests.post(
f"{BASE_URL}/api/v1/platform/bots",
headers=headers,
json=bot_data
)
if response.status_code == 200:
bot_uuid = response.json()["data"]["uuid"]
print(f"Bot created with UUID: {bot_uuid}")
Example: cURL
# List all models
curl -X GET \
-H "X-API-Key: lbk_your_api_key_here" \
http://your-langbot-server:5300/api/v1/provider/models/llm
# Create a new pipeline
curl -X POST \
-H "X-API-Key: lbk_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"name": "My Pipeline",
"config": {...}
}' \
http://your-langbot-server:5300/api/v1/pipelines
# Get bot logs
curl -X POST \
-H "X-API-Key: lbk_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"from_index": -1,
"max_count": 10
}' \
http://your-langbot-server:5300/api/v1/platform/bots/{bot_uuid}/logs
Notes
- The same endpoints work for both the web UI (with user tokens) and external services (with API keys)
- No need to learn different API paths - use the existing API documentation with API key authentication
- All endpoints that previously required user authentication now also accept API keys