feat(cli,webapp): mint short-lived delegated tokens that act as a user

[ericallam]

Summary

Adds a short-lived, delegated token (tr_uat_...) that authenticates against the API as a user without handing out a long-lived personal access token. You mint one from a PAT, optionally narrow it to a set of scopes, and give it a lifetime; the API then treats requests as that user, subject to their role.

trigger.dev mint-token is the entry point (it uses your stored PAT):

UAT=$(trigger.dev mint-token --ttl 3600 --cap read:runs)

The token works anywhere a PAT does for user-level endpoints, and can be exchanged for an environment JWT at POST /api/v1/projects/:ref/:env/jwt to reach environment-scoped data (the same exchange a PAT supports).

How it works

A user-actor token is a short-lived JWT verified by a new first-class authenticateUserActor method on the RBAC plugin. Self-hosters get a built-in fallback; role-aware enforcement comes from the plugin. Effective permissions are the intersection of the user's role and the token's optional scope cap, so a token is only ever narrower than the user, never broader.

Minting is restricted to personal access tokens (a token can't mint another one, and an environment key can't mint one). Tokens default to a 1 hour lifetime (max 365 days). When exchanged for an environment JWT, the user is stamped on it for attribution and the scope cap is carried through.

[changeset-bot]

🦋 Changeset detected

Latest commit: 9ad2316

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 26 packages

Name	Type
trigger.dev	Patch
@trigger.dev/build	Patch
@trigger.dev/core	Patch
@trigger.dev/plugins	Patch
@trigger.dev/python	Patch
@trigger.dev/react-hooks	Patch
@trigger.dev/redis-worker	Patch
@trigger.dev/rsc	Patch
@trigger.dev/schema-to-json	Patch
@trigger.dev/sdk	Patch
@trigger.dev/database	Patch
@trigger.dev/otlp-importer	Patch
@trigger.dev/rbac	Patch
@trigger.dev/sso	Patch
@internal/cache	Patch
@internal/clickhouse	Patch
@internal/llm-model-catalog	Patch
@internal/redis	Patch
@internal/replication	Patch
@internal/run-engine	Patch
@internal/schedule-engine	Patch
@internal/testcontainers	Patch
@internal/tracing	Patch
@internal/tsql	Patch
@internal/zod-worker	Patch
@internal/sdk-compat-tests	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9b7743c1-43fe-4ff9-bd49-1f46023c999d

📥 Commits

Reviewing files that changed from the base of the PR and between feb93a7 and 9ad2316.

📒 Files selected for processing (14)

• .changeset/mint-token-command.md
• apps/webapp/app/routes/api.v1.auth.user-actor-token.ts
• apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
• apps/webapp/app/services/environmentVariableApiAccess.server.ts
• apps/webapp/app/services/personalAccessToken.server.ts
• apps/webapp/app/services/rbac.server.ts
• apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
• internal-packages/rbac/src/fallback.ts
• internal-packages/rbac/src/index.ts
• packages/cli-v3/src/apiClient.ts
• packages/cli-v3/src/cli/index.ts
• packages/cli-v3/src/commands/mint-token.ts
• packages/plugins/src/index.ts
• packages/plugins/src/rbac.ts

✅ Files skipped from review due to trivial changes (1)

• .changeset/mint-token-command.md

🚧 Files skipped from review as they are similar to previous changes (13)

• packages/plugins/src/index.ts
• packages/cli-v3/src/cli/index.ts
• packages/cli-v3/src/apiClient.ts
• apps/webapp/app/services/environmentVariableApiAccess.server.ts
• apps/webapp/app/services/personalAccessToken.server.ts
• apps/webapp/app/services/rbac.server.ts
• internal-packages/rbac/src/index.ts
• apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
• internal-packages/rbac/src/fallback.ts
• packages/plugins/src/rbac.ts
• packages/cli-v3/src/commands/mint-token.ts
• apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
• apps/webapp/app/routes/api.v1.auth.user-actor-token.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (33)

• GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
• GitHub Check: typecheck / typecheck
• GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
• GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
• GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: 🛡️ E2E Auth Tests (full)
• GitHub Check: Build and publish previews

---

Walkthrough

This PR introduces a delegated "user-actor" token (UAT) system and a trigger.dev mint-token CLI command. The token grammar (tr_uat_ prefix, JWT sign/verify functions, UserActorClaims, UserActorAuthResult) is defined in packages/plugins/src/rbac.ts and propagated through the RBAC package's fallback controller and lazy controller via a new authenticateUserActor method. A new webapp API route (api.v1.auth.user-actor-token) mints short-lived UATs from a caller's PAT with optional cap, client, and ttlSeconds parameters. Existing webapp routes and services (env.jwt, apiBuilder, personalAccessToken, environmentVariableApiAccess) are updated to accept and verify UATs alongside PATs. The CLI gains a mint-token command backed by a new CliApiClient.mintUserActorToken method.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete and does not follow the repository template structure, missing key sections like the issue reference, checklist, testing steps, and changelog.	Add the missing template sections: close with an issue reference, include the checklist with all items, document testing steps, provide a changelog entry, and add screenshots if applicable.
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the primary change: adding a feature to mint short-lived delegated tokens that authenticate as a user, which is the main objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/delegated-user-actor-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@9ad2316

trigger.dev

npm i https://pkg.pr.new/trigger.dev@9ad2316

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@9ad2316

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@9ad2316

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@9ad2316

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@9ad2316

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@9ad2316

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@9ad2316

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@9ad2316

commit: 9ad2316