feat(web): store per-user Daytona/OpenAI keys in WorkOS Vault

[MohtashamMurshid]

Summary

Builds on the live /dashboard (PR #16). The dashboard previously required users to paste their Daytona + OpenAI keys (or remember them in localStorage) on every run. This adds per-user, server-side key storage backed by WorkOS AuthKit + Vault, while keeping env vars working for local development.

• The design API now resolves credentials per run in priority order: request body (BYOK) → signed-in user's WorkOS Vault secrets → DAYTONA_API_KEY / OPENAI_API_KEY env vars (local dev).
• Adds WorkOS AuthKit sign-in (proxy.ts, /login, /callback, AuthKitProvider) and a /dashboard/settings page where each user stores their keys, encrypted in WorkOS Vault and scoped to their user id.
• Degrades gracefully to local mode (no auth, env/BYOK only) when WorkOS is not configured, so local development is unchanged.

Base: this PR is stacked on cursor/dashboard-ui-ba70.

Surface(s) affected

• Web (apps/web)

Breaking changes?

• No

How credentials resolve

Each key resolves independently (a user can keep one in Vault and override the other for a single run):

Priority	Source	Notes
1	Request body	BYOK keys typed into the dashboard form; never persisted server-side
2	WorkOS Vault	Per-user keys saved at /dashboard/settings, decrypted only server-side
3	Env vars	DAYTONA_API_KEY / OPENAI_API_KEY — local-dev fallback

When WORKOS_API_KEY / WORKOS_CLIENT_ID / WORKOS_COOKIE_PASSWORD are unset, the app stays in local mode: the proxy is a pass-through, sign-in/settings show a "local mode" notice, and the BYOK form + env vars still work.

Screenshots / output samples

Dashboard in local mode — keys detected from environment variables, fields become optional overrides:

Dashboard local keys banner

Settings page in local mode — explains the WorkOS config needed to enable account-based Vault storage:

Settings local mode notice

Walkthrough:

dashboard_localmode_and_settings_walkthrough.mp4

Files

• app/_lib/workos.ts — WorkOS config detection (isWorkOSConfigured).
• app/_lib/auth.ts — getCurrentUser() (guarded withAuth).
• app/_lib/credentials.ts — WorkOS Vault per-user secret read/save/clear + masked status.
• app/_lib/credentials-resolver.ts (+ .test.ts) — pure body→vault→env priority resolver, unit tested.
• app/api/design/route.ts — resolves run credentials via the chain; keys now optional.
• app/dashboard/settings/* — settings page, server actions, client form.
• proxy.ts, app/callback/route.ts, app/login/route.ts, app/layout.tsx — AuthKit wiring (all gated on config).
• app/dashboard/page.tsx, _components/dashboard-runner.tsx, _components/types.ts — auth/credentials banner + optional form keys.
• apps/web/README.md — documents the env vars and credential model.

Verification

• bun run typecheck (apps/web) — passes
• bun run build (apps/web) — passes; /callback, /login, /dashboard/settings and Proxy show in the route table
• bun test app/_lib/credentials-resolver.test.ts — 6/6 pass
• Runtime: POST /api/design returns 400 missing_credentials with no keys/env; resolves and runs the SDK when keys come from the body or from env vars
• Manual: dashboard local-keys banner and settings local-mode notice verified in the browser (see walkthrough)

Checklist

• Conventional-commit title
• bun run lint passes
• bun run typecheck passes
• CHANGELOG.md updated under ## [Unreleased]

Note: the WorkOS Vault path itself (signed-in storage) could not be exercised end-to-end here because no WorkOS account/credentials are available in this environment; the resolver, env-var fallback, and local-mode UI are tested above.

_{To show artifacts inline, enable in settings.}

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
getdesign	Error		May 29, 2026 10:15am
getdesign-docs	Ready	Preview, Comment	May 29, 2026 10:15am
studio-site	Ready	Preview, Comment	May 29, 2026 10:15am

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 471194b4-8613-4dc8-951d-1441cabec514

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/workos-vault-byok-secrets-13bd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}