Summary
Modules that accept API keys currently require passing them via Terraform variable blocks with sensitive = true. This works, but requires the API key to be set at the template level (e.g. via TF_VAR_*), which doesn't support per-user tokens.
For providers that don't support AI Gateway integration (e.g. Sourcegraph Amp), users need to provide their own personal API keys. We should add an opt-in coder_parameter with mask_input styling to all modules that accept API keys, allowing per-user token input directly in the workspace creation form.
Note this is a temporary workaround until we have coder/coder#17965
Proposed Change
Add an optional coder_parameter alternative for API key input in each affected module. When opted in, the parameter would use masked input styling to cosmetically hide the value:
data "coder_parameter" "api_key" {
name = "api_key"
display_name = "API Key"
description = "Your personal API key"
type = "string"
mutable = true
form_type = "input"
styling = jsonencode({
mask_input = true
})
}
This should be opt-in behavior — the existing variable block approach remains the default.
Note: mask_input is purely cosmetic (masks as * in the UI). The API key is still stored as plaintext in the Coder database. This should be clearly documented.
## Affected Modules
All agent modules accepting API key or token variables:
| Module | Variable(s) |
|---|---|
| `coder/modules/claude-code` | `claude_api_key` |
| `coder/modules/aider` | `api_key` |
| `coder/modules/goose` | (via `coder_env`, not a module var) |
| `coder/modules/amazon-q` | `auth_tarball` (sensitive) |
| `coder-labs/modules/copilot` | `github_token` (sensitive) |
| `coder-labs/modules/codex` | `openai_api_key` |
| `coder-labs/modules/auggie` | `augment_session_token` |
| `coder-labs/modules/sourcegraph-amp` | `amp_api_key` |
| `coder-labs/modules/gemini` | `gemini_api_key` |
| `coder-labs/modules/cursor-cli` | `api_key` |
| `coder-labs/modules/perplexica` | `anthropic_api_key` |
| `coder-labs/modules/open-webui` | `openai_api_key` |
| `coder-labs/modules/opencode` | `auth_json` |
---
Created on behalf of @matifali
Summary
Modules that accept API keys currently require passing them via Terraform
variableblocks withsensitive = true. This works, but requires the API key to be set at the template level (e.g. viaTF_VAR_*), which doesn't support per-user tokens.For providers that don't support AI Gateway integration (e.g. Sourcegraph Amp), users need to provide their own personal API keys. We should add an opt-in
coder_parameterwithmask_inputstyling to all modules that accept API keys, allowing per-user token input directly in the workspace creation form.Proposed Change
Add an optional
coder_parameteralternative for API key input in each affected module. When opted in, the parameter would use masked input styling to cosmetically hide the value: