Skip to content

Add opt-in coder_parameter with masked input for API keys in agent modules #716

New issue
New issue
Open
Open
Add opt-in coder_parameter with masked input for API keys in agent modules#716
@matifali

Description

@matifali
matifali
opened on Feb 10, 2026

Summary

Modules that accept API keys currently require passing them via Terraform variable blocks with sensitive = true. This works, but requires the API key to be set at the template level (e.g. via TF_VAR_*), which doesn't support per-user tokens.

For providers that don't support AI Gateway integration (e.g. Sourcegraph Amp), users need to provide their own personal API keys. We should add an opt-in coder_parameter with mask_input styling to all modules that accept API keys, allowing per-user token input directly in the workspace creation form.

Note this is a temporary workaround until we have coder/coder#17965

Proposed Change

Add an optional coder_parameter alternative for API key input in each affected module. When opted in, the parameter would use masked input styling to cosmetically hide the value:

data "coder_parameter" "api_key" {
  name         = "api_key"
  display_name = "API Key"
  description  = "Your personal API key"
  type         = "string"
  mutable      = true
  form_type    = "input"

  styling = jsonencode({
    mask_input = true
  })
}


This should be opt-in behavior — the existing variable block approach remains the default.

 Note: mask_input is purely cosmetic (masks as * in the UI). The API key is still stored as plaintext in the Coder database. This should be clearly documented.

## Affected Modules

All agent modules accepting API key or token variables:

| Module | Variable(s) |
|---|---|
| `coder/modules/claude-code` | `claude_api_key` |
| `coder/modules/aider` | `api_key` |
| `coder/modules/goose` | (via `coder_env`, not a module var) |
| `coder/modules/amazon-q` | `auth_tarball` (sensitive) |
| `coder-labs/modules/copilot` | `github_token` (sensitive) |
| `coder-labs/modules/codex` | `openai_api_key` |
| `coder-labs/modules/auggie` | `augment_session_token` |
| `coder-labs/modules/sourcegraph-amp` | `amp_api_key` |
| `coder-labs/modules/gemini` | `gemini_api_key` |
| `coder-labs/modules/cursor-cli` | `api_key` |
| `coder-labs/modules/perplexica` | `anthropic_api_key` |
| `coder-labs/modules/open-webui` | `openai_api_key` |
| `coder-labs/modules/opencode` | `auth_json` |


---

Created on behalf of @matifali

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions