feat: configurable expiry for temporary proxy/tunnel API keys

[alnr]

The Ory Proxy and Tunnel create a temporary project API key to configure your project. These keys were created without expiry, so if the cleanup on shutdown failed (e.g. the process was killed) the key would linger indefinitely.

Add an --api-key-expiry flag to both commands that sets a server-side expiry on the temporary key, ensuring it is removed automatically even when local cleanup does not run. Defaults to 12h; set to 0 to disable.

Summary by CodeRabbit

Release Notes

• New Features
  • API keys can now be configured with expiration durations. Control how long temporary API keys remain valid before automatic expiration.
  • New CLI setting available to manage temporary API key lifetime, with support for disabling expiration when needed.

[coderabbitai]

Warning

Review limit reached

@alnr, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 10 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6bb18870-dcfa-481f-950d-d20926a3b822

📥 Commits

Reviewing files that changed from the base of the PR and between 9b0e299 and 8605fd9.

📒 Files selected for processing (1)

• cmd/cloudx/client/api_key.go

📝 Walkthrough

Walkthrough

Adds an expiresIn time.Duration parameter to CreateProjectAPIKey and TemporaryAPIKey. When positive, ExpiresAt is set on the API request. The proxy/tunnel CLI gains a new --api-key-expiry flag (default 12 hours) wired through the config struct into TemporaryAPIKey. Tests are updated to pass 0 for no-expiry or time.Hour with ExpiresAt assertions.

Changes

API Key Expiry Support

Layer / File(s)	Summary
CreateProjectAPIKey and TemporaryAPIKey expiry parameter cmd/cloudx/client/api_key.go, cmd/cloudx/client/command_helper_test.go	Both methods gain expiresIn time.Duration; CreateProjectAPIKey sets ExpiresAt when positive. Tests pass 0 at existing call sites and assert ExpiresAt is non-nil and within the expected window for a time.Hour expiry.
Proxy/tunnel APIKeyExpiryFlag wiring cmd/cloudx/proxy/helpers.go	Adds APIKeyExpiryFlag constant and defaultAPIKeyExpiry (12h), extends config with apiKeyExpiry, registers the duration flag in registerConfigFlags, and passes conf.apiKeyExpiry to TemporaryAPIKey in runReverseProxy.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main feature: making temporary proxy/tunnel API key expiry configurable.
Description check	✅ Passed	The description provides clear context on the problem, solution, and implementation details, though it lacks a formal issue/design document reference and the template checklist is incomplete.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alnr/temp-api-keys

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/cloudx/client/api_key.go`:
- Around line 25-29: The code currently treats negative expiresIn values the
same as zero by silently omitting the ExpiresAt field, which allows callers to
accidentally create non-expiring keys. Add explicit validation to reject
negative expiresIn values by returning an error before the conditional check,
ensuring that only positive values are accepted for creating API keys with
expiration dates. Keep the existing logic where only positive expiresIn values
trigger setting req.ExpiresAt.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 07b6b77e-a280-438e-8df1-205685662bfa

📥 Commits

Reviewing files that changed from the base of the PR and between 52eb734 and 9b0e299.

📒 Files selected for processing (3)

• cmd/cloudx/client/api_key.go
• cmd/cloudx/client/command_helper_test.go
• cmd/cloudx/proxy/helpers.go