Custom scopes for public api keys

[marcklingen]

Describe the feature or potential improvement

Currently API keys have full access to all resources. It'd be helpful to be able to set custom scopes on each api key to e.g. have an api key that can only read prompts but cannot read tracing data.

Additional information

No response

[jamesharling]

There is an old discussion that is relevant here: https://github.com/orgs/langfuse/discussions/5005#discussioncomment-12452022

Basically, with the new environments feature it would be very useful (and sensible) to have keys scoped to environments, for example to separate non-prod and prod permissions.

I suppose this goes a step further, and you could say that more abstractly we require environment-specific RBAC

[AkioNuernberger]

Also requested by a user I have talked with, who wanted to have fine-grained API keys, rotation policy, and auto renewal.

[Lotte-Verheyden]

Rotating API keys also requested in this issue: https://github.com/orgs/langfuse/discussions/12666

[hspak]

Read-only/write-only access on keys would be useful for us.

[dahnny012]

I wanted to follow up on the response you made at the town hall. Im wasn't clear if you supported api keys that supported only ingesting?

Correct me if im wrong it sounded like anybody with a public key could submit otel data. But anyone with SK + PK can do api operation? Was that the correct understanding.

Also following up. Your code base already supports scopes based on the org/project roles, wondering if just adding these scopes to api key would be a quick win in this area.

[marcklingen]

Hi Danh, currently there are two access levels

• pk only: ingest scores, meant to be used via the LangfuseWeb client in order to add e.g. user feedback as an evaluation score directly from the web frontend
• pk+sk: full read/write access

[dnzprmksz]

This is definitely required to leverage the API better. I want to enable developers to use the API for several read-only actions but I have to provide full-access to the whole project to do so. I expected users to be able to generate their own keys as they already have roles defining their access levels and basically use the keys for API level access to the same functionality. Even if the user level api key is not something on the roadmap, simply having read-only API keys would be a much more secure way to give access to people especially on production environments.

[Lotte-Verheyden]

Also requested by a user I talked to: API keys for read-only access

[dahnny012]

Ive had to hack this feature into my langfuse via AWS ALB blocking any POST requests from my designated read api keys. Really would appreciate api keys would some level of permission customizability so we dont implement it at the ALB level.

[Lotte-Verheyden]

Read-only API keys also requested by a user who would like to give their coding agent access to Langfuse to read traces, but doesn't want it to have edit access.

[xstraven]

Write-only API keys are something we would like to make sure even a compromised app could not leak traces/data of users. happy to collaborate on this.

[marc-ada]

+1 — any ETA on this? We need read-only API keys for AI agents that debug workflows across environments.

[rileymiller]

Having read-only api keys seems like a table stakes feature to let agents adopt the langfuse cli. Are there any updates around timing or roadmap prioritization? I run into this about a dozen times a week when I want claude to take a first stab at pulling down a trace and I absolutely do not want claude to have write access and for an agent to accidentally screw up my production telemetry.

[rileymiller]

I'm happy to take a first-pass at a PR if there's any guidance from maintainers to guide direction on the implementation.