@nordsym/apiclaw 1.8.6 → 1.8.7

package/README.md

@@ -11,7 +11,7 @@ The API layer for AI agents. One install. Three tiers of access.
 ## Install
 
 ```bash
-curl -fsSL https://apiclaw.nordsym.com/install.sh | bash
+curl -fsSL https://apiclaw.cloud/install.sh | bash
 ```
 
 Restart your AI assistant. First 5 API calls are free. Register your email to unlock 50/month.
@@ -84,16 +84,16 @@ Premium APIs proxied through APIClaw. No keys needed. APIClaw handles auth, rate
 | Unregistered | Free | 5 API calls, unlimited search |
 | Free | Free | 50 calls/month, full dashboard |
 | Founding Backer | $199 one-time | Unlimited until 2027 |
-| Enterprise | Custom | [Book a call](https://apiclaw.nordsym.com/book) |
+| Enterprise | Custom | [Book a call](https://apiclaw.cloud/book) |
 
 ## For API Providers
 
 List your APIs on APIClaw. Get discovered by AI agents. Track usage, discoveries, and calls in your dashboard.
 
-[Register as provider](https://apiclaw.nordsym.com/providers/register)
+[Register as provider](https://apiclaw.cloud/providers/register)
 
 ---
 
-[Dashboard](https://apiclaw.nordsym.com) - [Docs](https://apiclaw.nordsym.com/docs) - [Book a Call](https://apiclaw.nordsym.com/book)
+[Dashboard](https://apiclaw.cloud) - [Docs](https://apiclaw.cloud/docs) - [Book a Call](https://apiclaw.cloud/book)
 
 MIT License

package/apiclaw-README.md

@@ -23,7 +23,7 @@ The API layer for AI agents. 18 providers → 1000s of capabilities. Workspace
 
 ## The Platform
 
-**[apiclaw.nordsym.com](https://apiclaw.nordsym.com)** — Your workspace for API-powered agents.
+**[apiclaw.cloud](https://apiclaw.cloud)** — Your workspace for API-powered agents.
 
 | Layer | What You Get |
 |-------|--------------|
@@ -43,7 +43,7 @@ One `mcp-install` connects your agent to all of it.
 
 ```bash
 # Install
-curl -fsSL https://apiclaw.nordsym.com/install.sh | bash
+curl -fsSL https://apiclaw.cloud/install.sh | bash
 
 # Restart your AI assistant
 # Immediately use any API (10 calls/week)
@@ -194,7 +194,7 @@ Public APIs, instantly callable. No API keys needed.
 - Food & Recipes
 - Science & Education
 
-Browse at [apiclaw.nordsym.com/open-apis](https://apiclaw.nordsym.com/open-apis)
+Browse at [apiclaw.cloud/open-apis](https://apiclaw.cloud/open-apis)
 
 ---
 
@@ -209,7 +209,7 @@ Use `discover_apis` to search:
 "What APIs exist for recipe data?"
 ```
 
-Browse at [apiclaw.nordsym.com/discover](https://apiclaw.nordsym.com/discover)
+Browse at [apiclaw.cloud/discover](https://apiclaw.cloud/discover)
 
 ---
 
@@ -218,7 +218,7 @@ Browse at [apiclaw.nordsym.com/discover](https://apiclaw.nordsym.com/discover)
 ### One-Line Install (Recommended)
 
 ```bash
-curl -fsSL https://apiclaw.nordsym.com/install.sh | bash
+curl -fsSL https://apiclaw.cloud/install.sh | bash
 ```
 
 Auto-detects Claude Desktop or Claude Code. Configures MCP. Done.
@@ -404,7 +404,7 @@ You don't manage API keys. You don't configure auth. You don't worry about rate
 - Usage analytics in your workspace
 - Production-ready from day one
 
-**Want higher limits?** See [Pricing](#pricing) below or upgrade at [apiclaw.nordsym.com](https://apiclaw.nordsym.com).
+**Want higher limits?** See [Pricing](#pricing) below or upgrade at [apiclaw.cloud](https://apiclaw.cloud).
 
 ---
 
@@ -456,7 +456,7 @@ APIClaw is purpose-built for AI agents and MCP clients. No glue code, no key jug
 | **Scale** | $249/mo | 25,000 | Production agents |
 | **Enterprise** | Custom | Unlimited | Large teams & custom SLAs |
 
-→ [Upgrade at apiclaw.nordsym.com](https://apiclaw.nordsym.com) · Enterprise: [book a call](https://apiclaw.nordsym.com/contact)
+→ [Upgrade at apiclaw.cloud](https://apiclaw.cloud) · Enterprise: [book a call](https://apiclaw.cloud/contact)
 
 ---
 
@@ -464,9 +464,9 @@ APIClaw is purpose-built for AI agents and MCP clients. No glue code, no key jug
 
 APIClaw is optimized for discovery by AI agents and LLM tooling:
 
-- **llms.txt:** [apiclaw.nordsym.com/llms.txt](https://apiclaw.nordsym.com/llms.txt) — Machine-readable API index
-- **llms-full.txt:** [apiclaw.nordsym.com/llms-full.txt](https://apiclaw.nordsym.com/llms-full.txt) — Full capability descriptions
-- **ai-plugin.json:** [apiclaw.nordsym.com/.well-known/ai-plugin.json](https://apiclaw.nordsym.com/.well-known/ai-plugin.json) — OpenAI plugin manifest
+- **llms.txt:** [apiclaw.cloud/llms.txt](https://apiclaw.cloud/llms.txt) — Machine-readable API index
+- **llms-full.txt:** [apiclaw.cloud/llms-full.txt](https://apiclaw.cloud/llms-full.txt) — Full capability descriptions
+- **ai-plugin.json:** [apiclaw.cloud/.well-known/ai-plugin.json](https://apiclaw.cloud/.well-known/ai-plugin.json) — OpenAI plugin manifest
 - **MCP:** Install with one command and any MCP-compatible agent can use APIClaw immediately
 
 ---
@@ -480,8 +480,8 @@ APIClaw is optimized for discovery by AI agents and LLM tooling:
 
 ## Links
 
-- **Platform:** [apiclaw.nordsym.com](https://apiclaw.nordsym.com)
-- **Docs:** [apiclaw.nordsym.com/docs](https://apiclaw.nordsym.com/docs)
+- **Platform:** [apiclaw.cloud](https://apiclaw.cloud)
+- **Docs:** [apiclaw.cloud/docs](https://apiclaw.cloud/docs)
 - **GitHub:** [github.com/nordsym/apiclaw](https://github.com/nordsym/apiclaw)
 - **npm:** [@nordsym/apiclaw](https://www.npmjs.com/package/@nordsym/apiclaw)
 - **Security:** [SECURITY.md](SECURITY.md)

package/convex/_generated/api.d.ts

@@ -12,6 +12,7 @@ import type * as adminActivate from "../adminActivate.js";
 import type * as adminStats from "../adminStats.js";
 import type * as agents from "../agents.js";
 import type * as analytics from "../analytics.js";
+import type * as apiKeys from "../apiKeys.js";
 import type * as backfillAnalytics from "../backfillAnalytics.js";
 import type * as backfillSearchLogs from "../backfillSearchLogs.js";
 import type * as billing from "../billing.js";
@@ -49,6 +50,7 @@ import type * as updateAPIStatus from "../updateAPIStatus.js";
 import type * as usage from "../usage.js";
 import type * as waitlist from "../waitlist.js";
 import type * as webhooks from "../webhooks.js";
+import type * as workspaceSettings from "../workspaceSettings.js";
 import type * as workspaces from "../workspaces.js";
 
 import type {
@@ -62,6 +64,7 @@ declare const fullApi: ApiFromModules<{
   adminStats: typeof adminStats;
   agents: typeof agents;
   analytics: typeof analytics;
+  apiKeys: typeof apiKeys;
   backfillAnalytics: typeof backfillAnalytics;
   backfillSearchLogs: typeof backfillSearchLogs;
   billing: typeof billing;
@@ -99,6 +102,7 @@ declare const fullApi: ApiFromModules<{
   usage: typeof usage;
   waitlist: typeof waitlist;
   webhooks: typeof webhooks;
+  workspaceSettings: typeof workspaceSettings;
   workspaces: typeof workspaces;
 }>;
 

package/convex/apiKeys.ts

@@ -0,0 +1,220 @@
+import { v } from "convex/values";
+import { mutation, query, internalQuery } from "./_generated/server";
+
+// ============================================
+// WORKSPACE API KEYS
+// Generate persistent API keys for programmatic access.
+// Users generate keys in the dashboard, then use them
+// in any agent config, automation, or script.
+// ============================================
+
+function generateRawKey(): string {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  let result = "";
+  for (let i = 0; i < 48; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return `sk-claw-${result}`;
+}
+
+// Simple hash for key lookup (SHA-256 not available in Convex runtime, use deterministic hash)
+function hashKey(key: string): string {
+  let hash = 0;
+  for (let i = 0; i < key.length; i++) {
+    const char = key.charCodeAt(i);
+    hash = ((hash << 5) - hash + char) | 0;
+  }
+  // Create a longer hash by running multiple rounds with offsets
+  let h1 = hash;
+  let h2 = 0;
+  for (let i = 0; i < key.length; i++) {
+    h2 = ((h2 << 7) - h2 + key.charCodeAt(i) * 31) | 0;
+  }
+  let h3 = 0;
+  for (let i = 0; i < key.length; i++) {
+    h3 = ((h3 << 11) - h3 + key.charCodeAt(i) * 127) | 0;
+  }
+  return `${(h1 >>> 0).toString(36)}-${(h2 >>> 0).toString(36)}-${(h3 >>> 0).toString(36)}`;
+}
+
+function getKeyPrefix(key: string): string {
+  return `sk-claw-...${key.slice(-4)}`;
+}
+
+// ============================================
+// GENERATE KEY
+// ============================================
+
+export const generateKey = mutation({
+  args: {
+    token: v.string(), // session token for auth
+    name: v.string(), // user label
+  },
+  handler: async (ctx, args) => {
+    // Auth via agentSession
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      throw new Error("Invalid session");
+    }
+
+    const workspaceId = session.workspaceId;
+
+    // Limit: max 5 active keys per workspace
+    const existingKeys = await ctx.db
+      .query("workspaceApiKeys")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", workspaceId))
+      .collect();
+
+    const activeKeys = existingKeys.filter((k) => !k.revokedAt);
+    if (activeKeys.length >= 5) {
+      throw new Error("Maximum 5 active keys per workspace. Revoke an existing key first.");
+    }
+
+    // Check for duplicate name
+    const nameExists = activeKeys.some(
+      (k) => k.name.toLowerCase() === args.name.toLowerCase()
+    );
+    if (nameExists) {
+      throw new Error(`A key named "${args.name}" already exists.`);
+    }
+
+    const rawKey = generateRawKey();
+    const now = Date.now();
+
+    await ctx.db.insert("workspaceApiKeys", {
+      workspaceId,
+      key: "", // We don't store the raw key
+      keyHash: hashKey(rawKey),
+      keyPrefix: getKeyPrefix(rawKey),
+      name: args.name,
+      createdAt: now,
+    });
+
+    // Return the raw key ONCE - it won't be retrievable again
+    return {
+      key: rawKey,
+      keyPrefix: getKeyPrefix(rawKey),
+      name: args.name,
+    };
+  },
+});
+
+// ============================================
+// LIST KEYS
+// ============================================
+
+export const listKeys = query({
+  args: {
+    token: v.string(),
+  },
+  handler: async (ctx, args) => {
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { keys: [] };
+    }
+
+    const keys = await ctx.db
+      .query("workspaceApiKeys")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
+      .collect();
+
+    return {
+      keys: keys
+        .filter((k) => !k.revokedAt)
+        .map((k) => ({
+          id: k._id,
+          name: k.name,
+          keyPrefix: k.keyPrefix,
+          lastUsedAt: k.lastUsedAt,
+          createdAt: k.createdAt,
+        }))
+        .sort((a, b) => b.createdAt - a.createdAt),
+    };
+  },
+});
+
+// ============================================
+// REVOKE KEY
+// ============================================
+
+export const revokeKey = mutation({
+  args: {
+    token: v.string(),
+    keyId: v.id("workspaceApiKeys"),
+  },
+  handler: async (ctx, args) => {
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      throw new Error("Invalid session");
+    }
+
+    const key = await ctx.db.get(args.keyId);
+    if (!key || key.workspaceId !== session.workspaceId) {
+      throw new Error("Key not found");
+    }
+
+    if (key.revokedAt) {
+      throw new Error("Key already revoked");
+    }
+
+    await ctx.db.patch(args.keyId, { revokedAt: Date.now() });
+    return { success: true };
+  },
+});
+
+// ============================================
+// RESOLVE KEY (internal - used by gateway)
+// ============================================
+
+export const resolveKey = internalQuery({
+  args: {
+    rawKey: v.string(),
+  },
+  handler: async (ctx, args) => {
+    const keyHash = hashKey(args.rawKey);
+
+    const keyDoc = await ctx.db
+      .query("workspaceApiKeys")
+      .withIndex("by_keyHash", (q) => q.eq("keyHash", keyHash))
+      .first();
+
+    if (!keyDoc) {
+      return null;
+    }
+
+    if (keyDoc.revokedAt) {
+      return null;
+    }
+
+    return {
+      workspaceId: keyDoc.workspaceId,
+      keyId: keyDoc._id,
+      name: keyDoc.name,
+    };
+  },
+});
+
+// ============================================
+// TOUCH KEY (internal - update lastUsedAt)
+// ============================================
+
+export const touchKey = mutation({
+  args: {
+    keyId: v.id("workspaceApiKeys"),
+  },
+  handler: async (ctx, args) => {
+    await ctx.db.patch(args.keyId, { lastUsedAt: Date.now() });
+  },
+});

package/convex/directCall.ts

@@ -82,14 +82,31 @@ export const saveConfig = mutation({
     }),
   },
   handler: async (ctx, args) => {
-    // Verify session
-    const session = await ctx.db
-      .query("sessions")
-      .withIndex("by_token", (q) => q.eq("token", args.token))
+    // Verify session (unified: agentSessions first, fallback to legacy sessions)
+    let providerId: any = null;
+
+    const agentSession = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
       .first();
 
-    if (!session || session.expiresAt < Date.now()) {
-      throw new Error("Invalid or expired session");
+    if (agentSession) {
+      const provider = await ctx.db
+        .query("providers")
+        .withIndex("by_workspaceId", (q) => q.eq("workspaceId", agentSession.workspaceId))
+        .first();
+      if (!provider) throw new Error("No provider linked to workspace");
+      providerId = provider._id;
+    } else {
+      // Fallback: legacy sessions
+      const session = await ctx.db
+        .query("sessions")
+        .withIndex("by_token", (q) => q.eq("token", args.token))
+        .first();
+      if (!session || session.expiresAt < Date.now()) {
+        throw new Error("Invalid or expired session");
+      }
+      providerId = session.providerId;
     }
 
     const now = Date.now();
@@ -128,7 +145,7 @@ export const saveConfig = mutation({
 
     // Create new config
     return await ctx.db.insert("providerDirectCall", {
-      providerId: session.providerId,
+      providerId,
       apiId: config.apiId as any,
       baseUrl: config.baseUrl,
       authType: config.authType,
@@ -536,13 +553,31 @@ export const testAction = mutation({
   handler: async (ctx, args) => {
     const startTime = Date.now();
     
-    // 1. Verify provider session
-    const session = await ctx.db
-      .query("sessions")
-      .withIndex("by_token", (q) => q.eq("token", args.token))
+    // 1. Verify provider session (unified: agentSessions first, fallback to legacy)
+    let sessionProviderId: any = null;
+
+    const agentSession = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
       .first();
-    
-    if (!session || session.expiresAt < Date.now()) {
+
+    if (agentSession) {
+      const provider = await ctx.db
+        .query("providers")
+        .withIndex("by_workspaceId", (q) => q.eq("workspaceId", agentSession.workspaceId))
+        .first();
+      if (provider) sessionProviderId = provider._id;
+    } else {
+      const session = await ctx.db
+        .query("sessions")
+        .withIndex("by_token", (q) => q.eq("token", args.token))
+        .first();
+      if (session && session.expiresAt >= Date.now()) {
+        sessionProviderId = session.providerId;
+      }
+    }
+
+    if (!sessionProviderId) {
       return {
         success: false,
         error: "Unauthorized - invalid or expired session",
@@ -561,7 +596,7 @@ export const testAction = mutation({
     }
     
     // Verify ownership
-    if (config.providerId !== session.providerId) {
+    if (config.providerId !== sessionProviderId) {
       return {
         success: false,
         error: "Unauthorized - you don't own this config",

package/convex/email.ts

@@ -5,8 +5,8 @@ import { action, internalAction } from "./_generated/server";
 // EMAIL TEMPLATES
 // ============================================
 
-const EMAIL_FROM = "APIClaw <noreply@apiclaw.nordsym.com>";
-const APP_URL = "https://apiclaw.nordsym.com";
+const EMAIL_FROM = "APIClaw <noreply@apiclaw.cloud>";
+const APP_URL = "https://apiclaw.cloud";
 
 // Base email wrapper - using string concat for Convex compatibility
 function wrapEmail(content: string): string {
@@ -37,7 +37,7 @@ function wrapEmail(content: string): string {
     '<tr>',
     '<td style="padding: 24px 32px; background-color: #fafafa; border-top: 1px solid #f0f0f0;">',
     '<p style="margin: 0; font-size: 12px; color: #737373; text-align: center;">',
-    '<a href="https://apiclaw.nordsym.com" style="color: #ef4444; text-decoration: none;">APIClaw</a> — The API Layer for AI Agents',
+    '<a href="https://apiclaw.cloud" style="color: #ef4444; text-decoration: none;">APIClaw</a> — The API Layer for AI Agents',
     '</p>',
     '<p style="margin: 8px 0 0; font-size: 12px; color: #a3a3a3; text-align: center;">',
     '© ' + year + ' NordSym. Stockholm, Sweden.',
@@ -283,7 +283,7 @@ export const debugEmailTemplate = action({
   args: { email: v.string() },
   handler: async (ctx, { email }) => {
     const RESEND_API_KEY = process.env.RESEND_API_KEY;
-    const testUrl = "https://apiclaw.nordsym.com/auth/verify?token=DEBUG_TEST";
+    const testUrl = "https://apiclaw.cloud/auth/verify?token=DEBUG_TEST";
     
     // Generate HTML using the template
     var html = "<!DOCTYPE html><html><head><meta charset='utf-8'></head>";
@@ -309,7 +309,7 @@ export const debugEmailTemplate = action({
         "Content-Type": "application/json",
       },
       body: JSON.stringify({
-        from: "APIClaw <noreply@apiclaw.nordsym.com>",
+        from: "APIClaw <noreply@apiclaw.cloud>",
         to: email,
         subject: "DEBUG EMAIL FROM CONVEX",
         html: html,