From 4f939b9db578f799e9b4a5f8ec2c26b7a1be3440 Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Wed, 31 Jul 2024 21:17:44 +0100
Subject: [PATCH 1/8] Added support for viewing and deleting of other
 Application API Keys

---
 .../Repository/ApiKeyRepositoryInterface.php  |   8 +-
 app/Http/Controllers/Admin/ApiController.php  |   4 +-
 .../Eloquent/ApiKeyRepository.php             |  13 +-
 resources/views/admin/api/index.blade.php     | 176 +++++++++---------
 4 files changed, 106 insertions(+), 95 deletions(-)

diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
index bfebbddb60..3a2dba43b1 100644
--- a/app/Contracts/Repository/ApiKeyRepositoryInterface.php
+++ b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -13,9 +13,9 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
     public function getAccountKeys(User $user): Collection;
 
     /**
-     * Get all the application API keys that exist for a specific user.
+     * Get all the application API keys that exist.
      */
-    public function getApplicationKeys(User $user): Collection;
+    public function getApplicationKeys(): Collection;
 
     /**
      * Delete an account API key from the panel for a specific user.
@@ -23,7 +23,7 @@ public function getApplicationKeys(User $user): Collection;
     public function deleteAccountKey(User $user, string $identifier): int;
 
     /**
-     * Delete an application API key from the panel for a specific user.
+     * Delete an application API key from the panel.
      */
-    public function deleteApplicationKey(User $user, string $identifier): int;
+    public function deleteApplicationKey(string $identifier): int;
 }
diff --git a/app/Http/Controllers/Admin/ApiController.php b/app/Http/Controllers/Admin/ApiController.php
index 02ad6e540d..05074f3723 100644
--- a/app/Http/Controllers/Admin/ApiController.php
+++ b/app/Http/Controllers/Admin/ApiController.php
@@ -34,7 +34,7 @@ public function __construct(
     public function index(Request $request): View
     {
         return $this->view->make('admin.api.index', [
-            'keys' => $this->repository->getApplicationKeys($request->user()),
+            'keys' => $this->repository->getApplicationKeys(),
         ]);
     }
 
@@ -80,7 +80,7 @@ public function store(StoreApplicationApiKeyRequest $request): RedirectResponse
      */
     public function delete(Request $request, string $identifier): Response
     {
-        $this->repository->deleteApplicationKey($request->user(), $identifier);
+        $this->repository->deleteApplicationKey($identifier);
 
         return response('', 204);
     }
diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
index eb1a362aed..19bcce2797 100644
--- a/app/Repositories/Eloquent/ApiKeyRepository.php
+++ b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -28,12 +28,13 @@ public function getAccountKeys(User $user): Collection
     }
 
     /**
-     * Get all the application API keys that exist for a specific user.
+     * Get all the application API keys that exist.
      */
-    public function getApplicationKeys(User $user): Collection
+    public function getApplicationKeys(): Collection
     {
-        return $this->getBuilder()->where('user_id', $user->id)
+        return $this->getBuilder()
             ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->with('user')
             ->get($this->getColumns());
     }
 
@@ -49,11 +50,11 @@ public function deleteAccountKey(User $user, string $identifier): int
     }
 
     /**
-     * Delete an application API key from the panel for a specific user.
+     * Delete an application API key from the panel.
      */
-    public function deleteApplicationKey(User $user, string $identifier): int
+    public function deleteApplicationKey(string $identifier): int
     {
-        return $this->getBuilder()->where('user_id', $user->id)
+        return $this->getBuilder()
             ->where('key_type', ApiKey::TYPE_APPLICATION)
             ->where('identifier', $identifier)
             ->delete();
diff --git a/resources/views/admin/api/index.blade.php b/resources/views/admin/api/index.blade.php
index d863c5779a..cdd72d0f3c 100644
--- a/resources/views/admin/api/index.blade.php
+++ b/resources/views/admin/api/index.blade.php
@@ -1,103 +1,113 @@
 @extends('layouts.admin')
 
 @section('title')
-    Application API
+Application API
 @endsection
 
 @section('content-header')
-    <h1>Application API<small>Control access credentials for managing this Panel via the API.</small></h1>
-    <ol class="breadcrumb">
-        <li><a href="{{ route('admin.index') }}">Admin</a></li>
-        <li class="active">Application API</li>
-    </ol>
+<h1>Application API<small>Control access credentials for managing this Panel via the API.</small></h1>
+<ol class="breadcrumb">
+    <li><a href="{{ route('admin.index') }}">Admin</a></li>
+    <li class="active">Application API</li>
+</ol>
 @endsection
 
 @section('content')
-    <div class="row">
-        <div class="col-xs-12">
-            <div class="box box-primary">
-                <div class="box-header with-border">
-                    <h3 class="box-title">Credentials List</h3>
-                    <div class="box-tools">
-                        <a href="{{ route('admin.api.new') }}" class="btn btn-sm btn-primary">Create New</a>
-                    </div>
-                </div>
-                <div class="box-body table-responsive no-padding">
-                    <table class="table table-hover">
-                        <tr>
-                            <th>Key</th>
-                            <th>Memo</th>
-                            <th>Last Used</th>
-                            <th>Created</th>
-                            <th></th>
-                        </tr>
-                        @foreach($keys as $key)
-                            <tr>
-                                <td><code>{{ $key->identifier }}{{ decrypt($key->token) }}</code></td>
-                                <td>{{ $key->memo }}</td>
-                                <td>
-                                    @if(!is_null($key->last_used_at))
-                                        @datetimeHuman($key->last_used_at)
-                                    @else
-                                        &mdash;
-                                    @endif
-                                </td>
-                                <td>@datetimeHuman($key->created_at)</td>
-                                <td>
-                                    <a href="#" data-action="revoke-key" data-attr="{{ $key->identifier }}">
-                                        <i class="fa fa-trash-o text-danger"></i>
-                                    </a>
-                                </td>
-                            </tr>
-                        @endforeach
-                    </table>
+<div class="row">
+    <div class="col-xs-12">
+        <div class="box box-primary">
+            <div class="box-header with-border">
+                <h3 class="box-title">Credentials List</h3>
+                <div class="box-tools">
+                    <a href="{{ route('admin.api.new') }}" class="btn btn-sm btn-primary">Create New</a>
                 </div>
             </div>
+            <div class="box-body table-responsive no-padding">
+                <table class="table table-hover">
+                    <tr>
+                        <th>Key</th>
+                        <th>Memo</th>
+                        <th>Last Used</th>
+                        <th>Created</th>
+                        <th>Created by</th>
+                        <th></th>
+                    </tr>
+                    @foreach($keys as $key)
+                    <tr>
+                        <td><code>
+                                @if(Auth::user()->id != $key->user->id)
+                                {{ $key->identifier . str_repeat('*', strlen(decrypt($key->token)))}}
+                                @else
+                                {{$key->identifier . decrypt($key->token)}}
+                                @endif
+                            </code></td>
+                        <td>{{ $key->memo }}</td>
+                        <td>
+                            @if(!is_null($key->last_used_at))
+                            @datetimeHuman($key->last_used_at)
+                            @else
+                            &mdash;
+                            @endif
+                        </td>
+                        <td>@datetimeHuman($key->created_at)</td>
+                        <td>
+                            <a href="{{ route('admin.users.view', $key->user->id) }}">{{ $key->user->username }}</a>
+                        </td>
+                        <td>
+                            <a href="#" data-action="revoke-key" data-attr="{{ $key->identifier }}">
+                                <i class="fa fa-trash-o text-danger"></i>
+                            </a>
+                        </td>
+                    </tr>
+                    @endforeach
+                </table>
+            </div>
         </div>
     </div>
+</div>
 @endsection
 
 @section('footer-scripts')
-    @parent
-    <script>
-        $(document).ready(function() {
-            $('[data-action="revoke-key"]').click(function (event) {
-                var self = $(this);
-                event.preventDefault();
-                swal({
-                    type: 'error',
-                    title: 'Revoke API Key',
-                    text: 'Once this API key is revoked any applications currently using it will stop working.',
-                    showCancelButton: true,
-                    allowOutsideClick: true,
-                    closeOnConfirm: false,
-                    confirmButtonText: 'Revoke',
-                    confirmButtonColor: '#d9534f',
-                    showLoaderOnConfirm: true
-                }, function () {
-                    $.ajax({
-                        method: 'DELETE',
-                        url: '/admin/api/revoke/' + self.data('attr'),
-                        headers: {
-                            'X-CSRF-TOKEN': '{{ csrf_token() }}'
-                        }
-                    }).done(function () {
-                        swal({
-                            type: 'success',
-                            title: '',
-                            text: 'API Key has been revoked.'
-                        });
-                        self.parent().parent().slideUp();
-                    }).fail(function (jqXHR) {
-                        console.error(jqXHR);
-                        swal({
-                            type: 'error',
-                            title: 'Whoops!',
-                            text: 'An error occurred while attempting to revoke this key.'
-                        });
+@parent
+<script>
+    $(document).ready(function() {
+        $('[data-action="revoke-key"]').click(function(event) {
+            var self = $(this);
+            event.preventDefault();
+            swal({
+                type: 'error',
+                title: 'Revoke API Key',
+                text: 'Once this API key is revoked any applications currently using it will stop working.',
+                showCancelButton: true,
+                allowOutsideClick: true,
+                closeOnConfirm: false,
+                confirmButtonText: 'Revoke',
+                confirmButtonColor: '#d9534f',
+                showLoaderOnConfirm: true
+            }, function() {
+                $.ajax({
+                    method: 'DELETE',
+                    url: '/admin/api/revoke/' + self.data('attr'),
+                    headers: {
+                        'X-CSRF-TOKEN': '{{ csrf_token() }}'
+                    }
+                }).done(function() {
+                    swal({
+                        type: 'success',
+                        title: '',
+                        text: 'API Key has been revoked.'
+                    });
+                    self.parent().parent().slideUp();
+                }).fail(function(jqXHR) {
+                    console.error(jqXHR);
+                    swal({
+                        type: 'error',
+                        title: 'Whoops!',
+                        text: 'An error occurred while attempting to revoke this key.'
                     });
                 });
             });
         });
-    </script>
-@endsection
+    });
+</script>
+@endsection
\ No newline at end of file

From 0e01ae738b97336b0d7d016e96a54bf306f228ee Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Wed, 31 Jul 2024 21:49:16 +0100
Subject: [PATCH 2/8] Updated NodeAutoDeployController getApplicationKeys
 reference

---
 app/Http/Controllers/Admin/NodeAutoDeployController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
index ac0684a9c9..ac6fd5ea80 100644
--- a/app/Http/Controllers/Admin/NodeAutoDeployController.php
+++ b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -32,8 +32,9 @@ public function __construct(
     public function __invoke(Request $request, Node $node): JsonResponse
     {
         /** @var \Pterodactyl\Models\ApiKey|null $key */
-        $key = $this->repository->getApplicationKeys($request->user())
+        $key = $this->repository->getApplicationKeys()
             ->filter(function (ApiKey $key) {
+                if ($key->user->id != $request->user()->id) return false;
                 foreach ($key->getAttributes() as $permission => $value) {
                     if ($permission === 'r_nodes' && $value === 1) {
                         return true;

From c355df1c96fc370f03cfbcd0ca41050064e86177 Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Sun, 4 Jan 2026 19:51:40 +0000
Subject: [PATCH 3/8] Fixed formatting and replaced decrypt with fixed
 characters

---
 resources/views/admin/api/index.blade.php | 184 +++++++++++-----------
 1 file changed, 92 insertions(+), 92 deletions(-)

diff --git a/resources/views/admin/api/index.blade.php b/resources/views/admin/api/index.blade.php
index cdd72d0f3c..9aa0a7e5c6 100644
--- a/resources/views/admin/api/index.blade.php
+++ b/resources/views/admin/api/index.blade.php
@@ -1,113 +1,113 @@
 @extends('layouts.admin')
 
 @section('title')
-Application API
+    Application API
 @endsection
 
 @section('content-header')
-<h1>Application API<small>Control access credentials for managing this Panel via the API.</small></h1>
-<ol class="breadcrumb">
-    <li><a href="{{ route('admin.index') }}">Admin</a></li>
-    <li class="active">Application API</li>
-</ol>
+    <h1>Application API<small>Control access credentials for managing this Panel via the API.</small></h1>
+    <ol class="breadcrumb">
+        <li><a href="{{ route('admin.index') }}">Admin</a></li>
+        <li class="active">Application API</li>
+    </ol>
 @endsection
 
 @section('content')
-<div class="row">
-    <div class="col-xs-12">
-        <div class="box box-primary">
-            <div class="box-header with-border">
-                <h3 class="box-title">Credentials List</h3>
-                <div class="box-tools">
-                    <a href="{{ route('admin.api.new') }}" class="btn btn-sm btn-primary">Create New</a>
+    <div class="row">
+        <div class="col-xs-12">
+            <div class="box box-primary">
+                <div class="box-header with-border">
+                    <h3 class="box-title">Credentials List</h3>
+                    <div class="box-tools">
+                        <a href="{{ route('admin.api.new') }}" class="btn btn-sm btn-primary">Create New</a>
+                    </div>
+                </div>
+                <div class="box-body table-responsive no-padding">
+                    <table class="table table-hover">
+                        <tr>
+                            <th>Key</th>
+                            <th>Memo</th>
+                            <th>Last Used</th>
+                            <th>Created</th>
+                            <th>Created by</th>
+                            <th></th>
+                        </tr>
+                        @foreach($keys as $key)
+                            <tr>
+                                <td><code>
+                                    @if(Auth::user()->id != $key->user->id)
+                                        {{ $key->identifier . "****" }}
+                                    @else
+                                        {{ $key->identifier . decrypt($key->token) }}
+                                    @endif
+                                </code></td>
+                                <td>{{ $key->memo }}</td>
+                                <td>
+                                    @if(!is_null($key->last_used_at))
+                                        @datetimeHuman($key->last_used_at)
+                                    @else
+                                        &mdash;
+                                    @endif
+                                </td>
+                                <td>@datetimeHuman($key->created_at)</td>
+                                <td>
+                                    <a href="{{ route('admin.users.view', $key->user->id) }}">{{ $key->user->username }}</a>
+                                </td>
+                                <td>
+                                    <a href="#" data-action="revoke-key" data-attr="{{ $key->identifier }}">
+                                        <i class="fa fa-trash-o text-danger"></i>
+                                    </a>
+                                </td>
+                            </tr>
+                        @endforeach
+                    </table>
                 </div>
-            </div>
-            <div class="box-body table-responsive no-padding">
-                <table class="table table-hover">
-                    <tr>
-                        <th>Key</th>
-                        <th>Memo</th>
-                        <th>Last Used</th>
-                        <th>Created</th>
-                        <th>Created by</th>
-                        <th></th>
-                    </tr>
-                    @foreach($keys as $key)
-                    <tr>
-                        <td><code>
-                                @if(Auth::user()->id != $key->user->id)
-                                {{ $key->identifier . str_repeat('*', strlen(decrypt($key->token)))}}
-                                @else
-                                {{$key->identifier . decrypt($key->token)}}
-                                @endif
-                            </code></td>
-                        <td>{{ $key->memo }}</td>
-                        <td>
-                            @if(!is_null($key->last_used_at))
-                            @datetimeHuman($key->last_used_at)
-                            @else
-                            &mdash;
-                            @endif
-                        </td>
-                        <td>@datetimeHuman($key->created_at)</td>
-                        <td>
-                            <a href="{{ route('admin.users.view', $key->user->id) }}">{{ $key->user->username }}</a>
-                        </td>
-                        <td>
-                            <a href="#" data-action="revoke-key" data-attr="{{ $key->identifier }}">
-                                <i class="fa fa-trash-o text-danger"></i>
-                            </a>
-                        </td>
-                    </tr>
-                    @endforeach
-                </table>
             </div>
         </div>
     </div>
-</div>
 @endsection
 
 @section('footer-scripts')
-@parent
-<script>
-    $(document).ready(function() {
-        $('[data-action="revoke-key"]').click(function(event) {
-            var self = $(this);
-            event.preventDefault();
-            swal({
-                type: 'error',
-                title: 'Revoke API Key',
-                text: 'Once this API key is revoked any applications currently using it will stop working.',
-                showCancelButton: true,
-                allowOutsideClick: true,
-                closeOnConfirm: false,
-                confirmButtonText: 'Revoke',
-                confirmButtonColor: '#d9534f',
-                showLoaderOnConfirm: true
-            }, function() {
-                $.ajax({
-                    method: 'DELETE',
-                    url: '/admin/api/revoke/' + self.data('attr'),
-                    headers: {
-                        'X-CSRF-TOKEN': '{{ csrf_token() }}'
-                    }
-                }).done(function() {
-                    swal({
-                        type: 'success',
-                        title: '',
-                        text: 'API Key has been revoked.'
-                    });
-                    self.parent().parent().slideUp();
-                }).fail(function(jqXHR) {
-                    console.error(jqXHR);
-                    swal({
-                        type: 'error',
-                        title: 'Whoops!',
-                        text: 'An error occurred while attempting to revoke this key.'
+    @parent
+    <script>
+        $(document).ready(function() {
+            $('[data-action="revoke-key"]').click(function (event) {
+                var self = $(this);
+                event.preventDefault();
+                swal({
+                    type: 'error',
+                    title: 'Revoke API Key',
+                    text: 'Once this API key is revoked any applications currently using it will stop working.',
+                    showCancelButton: true,
+                    allowOutsideClick: true,
+                    closeOnConfirm: false,
+                    confirmButtonText: 'Revoke',
+                    confirmButtonColor: '#d9534f',
+                    showLoaderOnConfirm: true
+                }, function () {
+                    $.ajax({
+                        method: 'DELETE',
+                        url: '/admin/api/revoke/' + self.data('attr'),
+                        headers: {
+                            'X-CSRF-TOKEN': '{{ csrf_token() }}'
+                        }
+                    }).done(function () {
+                        swal({
+                            type: 'success',
+                            title: '',
+                            text: 'API Key has been revoked.'
+                        });
+                        self.parent().parent().slideUp();
+                    }).fail(function (jqXHR) {
+                        console.error(jqXHR);
+                        swal({
+                            type: 'error',
+                            title: 'Whoops!',
+                            text: 'An error occurred while attempting to revoke this key.'
+                        });
                     });
                 });
             });
         });
-    });
-</script>
+    </script>
 @endsection
\ No newline at end of file

From be101e264439393c3d6a9c4be749ab48107ed5ae Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Sun, 4 Jan 2026 20:28:10 +0000
Subject: [PATCH 4/8] Made user nullable

---
 .../Repository/ApiKeyRepositoryInterface.php  |  4 +--
 app/Http/Controllers/Admin/ApiController.php  |  2 +-
 .../Admin/NodeAutoDeployController.php        |  2 +-
 .../Eloquent/ApiKeyRepository.php             | 29 +++++++++++++++----
 4 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
index 3a2dba43b1..0d07f7b27e 100644
--- a/app/Contracts/Repository/ApiKeyRepositoryInterface.php
+++ b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -15,7 +15,7 @@ public function getAccountKeys(User $user): Collection;
     /**
      * Get all the application API keys that exist.
      */
-    public function getApplicationKeys(): Collection;
+    public function getApplicationKeys(?User $user = null): Collection;
 
     /**
      * Delete an account API key from the panel for a specific user.
@@ -25,5 +25,5 @@ public function deleteAccountKey(User $user, string $identifier): int;
     /**
      * Delete an application API key from the panel.
      */
-    public function deleteApplicationKey(string $identifier): int;
+    public function deleteApplicationKey(?User $user = null, string $identifier): int;
 }
diff --git a/app/Http/Controllers/Admin/ApiController.php b/app/Http/Controllers/Admin/ApiController.php
index 98fa8820c5..4a300f2205 100644
--- a/app/Http/Controllers/Admin/ApiController.php
+++ b/app/Http/Controllers/Admin/ApiController.php
@@ -78,7 +78,7 @@ public function store(StoreApplicationApiKeyRequest $request): RedirectResponse
      */
     public function delete(Request $request, string $identifier): Response
     {
-        $this->repository->deleteApplicationKey($identifier);
+        $this->repository->deleteApplicationKey(null, $identifier);
 
         return response('', 204);
     }
diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
index b57d0b103d..3f7e02ebe2 100644
--- a/app/Http/Controllers/Admin/NodeAutoDeployController.php
+++ b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -32,7 +32,7 @@ public function __construct(
     public function __invoke(Request $request, Node $node): JsonResponse
     {
         /** @var ApiKey|null $key */
-        $key = $this->repository->getApplicationKeys()
+        $key = $this->repository->getApplicationKeys($request->user())
             ->filter(function (ApiKey $key) {
                 if ($key->user->id != $request->user()->id) return false;
                 foreach ($key->getAttributes() as $permission => $value) {
diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
index 19bcce2797..ac20a1219f 100644
--- a/app/Repositories/Eloquent/ApiKeyRepository.php
+++ b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -28,14 +28,33 @@ public function getAccountKeys(User $user): Collection
     }
 
     /**
-     * Get all the application API keys that exist.
+     * Get all the application API keys. If a user is provided, filter by that user.
      */
-    public function getApplicationKeys(): Collection
+    public function getApplicationKeys(?User $user = null): Collection
     {
-        return $this->getBuilder()
+        $instance = $this->getBuilder()->where('key_type', ApiKey::TYPE_APPLICATION);
+    
+        if ($user) {
+            $instance->where('user_id', $user->id);
+        }
+    
+        return $instance->get($this->getColumns());
+    }
+    
+    /**
+     * Delete an application API key. If a user is provided, ensure it belongs to them.
+     */
+    public function deleteApplicationKey(?User $user = null, string $identifier): int
+    {
+        $query = $this->getBuilder()
             ->where('key_type', ApiKey::TYPE_APPLICATION)
-            ->with('user')
-            ->get($this->getColumns());
+            ->where('identifier', $identifier);
+    
+        if ($user) {
+            $query->where('user_id', $user->id);
+        }
+    
+        return $query->delete();
     }
 
     /**

From 26af9062c92d149b86e75f60b965bb19d85d1450 Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Sun, 4 Jan 2026 20:33:27 +0000
Subject: [PATCH 5/8] Corrected some deletions

---
 app/Contracts/Repository/ApiKeyRepositoryInterface.php |  4 ++--
 app/Repositories/Eloquent/ApiKeyRepository.php         | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
index 0d07f7b27e..3dc9fc9596 100644
--- a/app/Contracts/Repository/ApiKeyRepositoryInterface.php
+++ b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -13,7 +13,7 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
     public function getAccountKeys(User $user): Collection;
 
     /**
-     * Get all the application API keys that exist.
+     * Get all the application API keys that exist for a specific user.
      */
     public function getApplicationKeys(?User $user = null): Collection;
 
@@ -23,7 +23,7 @@ public function getApplicationKeys(?User $user = null): Collection;
     public function deleteAccountKey(User $user, string $identifier): int;
 
     /**
-     * Delete an application API key from the panel.
+     * Delete an application API key from the panel for a specific user.
      */
     public function deleteApplicationKey(?User $user = null, string $identifier): int;
 }
diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
index ac20a1219f..1399d91326 100644
--- a/app/Repositories/Eloquent/ApiKeyRepository.php
+++ b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -33,14 +33,14 @@ public function getAccountKeys(User $user): Collection
     public function getApplicationKeys(?User $user = null): Collection
     {
         $instance = $this->getBuilder()->where('key_type', ApiKey::TYPE_APPLICATION);
-    
+
         if ($user) {
             $instance->where('user_id', $user->id);
         }
-    
+
         return $instance->get($this->getColumns());
     }
-    
+
     /**
      * Delete an application API key. If a user is provided, ensure it belongs to them.
      */
@@ -49,11 +49,11 @@ public function deleteApplicationKey(?User $user = null, string $identifier): in
         $query = $this->getBuilder()
             ->where('key_type', ApiKey::TYPE_APPLICATION)
             ->where('identifier', $identifier);
-    
+
         if ($user) {
             $query->where('user_id', $user->id);
         }
-    
+
         return $query->delete();
     }
 

From bc5e80adb86ea968045b77089b615bc1afe80928 Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Sun, 4 Jan 2026 20:37:24 +0000
Subject: [PATCH 6/8] Fixed weird CS Fixer rule

---
 app/Http/Controllers/Admin/NodeAutoDeployController.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
index 3f7e02ebe2..9af8947432 100644
--- a/app/Http/Controllers/Admin/NodeAutoDeployController.php
+++ b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -34,7 +34,9 @@ public function __invoke(Request $request, Node $node): JsonResponse
         /** @var ApiKey|null $key */
         $key = $this->repository->getApplicationKeys($request->user())
             ->filter(function (ApiKey $key) {
-                if ($key->user->id != $request->user()->id) return false;
+                if ($key->user->id != $request->user()->id) { 
+                    return false;
+                }
                 foreach ($key->getAttributes() as $permission => $value) {
                     if ($permission === 'r_nodes' && $value === 1) {
                         return true;

From a691b068a49087e490aaf6df8ad50a1f97df2752 Mon Sep 17 00:00:00 2001
From: Mackenzie Molloy <mackenzie.j.molloy@gmail.com>
Date: Sun, 4 Jan 2026 20:51:57 +0000
Subject: [PATCH 7/8] Removed hidden space

---
 app/Http/Controllers/Admin/NodeAutoDeployController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
index 9af8947432..e44e7d6730 100644
--- a/app/Http/Controllers/Admin/NodeAutoDeployController.php
+++ b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -34,7 +34,7 @@ public function __invoke(Request $request, Node $node): JsonResponse
         /** @var ApiKey|null $key */
         $key = $this->repository->getApplicationKeys($request->user())
             ->filter(function (ApiKey $key) {
-                if ($key->user->id != $request->user()->id) { 
+                if ($key->user->id != $request->user()->id) {
                     return false;
                 }
                 foreach ($key->getAttributes() as $permission => $value) {

From 14201b0975b65ab74934b9e2b83a84efbc417191 Mon Sep 17 00:00:00 2001
From: DaneEveritt <dane@daneeveritt.com>
Date: Sun, 4 Jan 2026 16:58:27 -0800
Subject: [PATCH 8/8] Remove the need for a repository

---
 CHANGELOG.md                                  |  3 ++
 .../Repository/ApiKeyRepositoryInterface.php  | 10 -----
 app/Http/Controllers/Admin/ApiController.php  |  9 ++--
 .../Admin/NodeAutoDeployController.php        | 20 ++-------
 .../Eloquent/ApiKeyRepository.php             | 41 -------------------
 resources/views/admin/api/index.blade.php     |  8 ++--
 6 files changed, 16 insertions(+), 75 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cf63cf354..97f3d51e44 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Administrators are now listed first when viewing a list of all users on the system.
 * Websocket no longer endlessly polls when connection issues are encountered, or when Wings disconnects the user for a reason that should not be re-attempted.
 
+### Added
+* Administrators can now view all of the application API keys that have been created. They cannot view the full key unless they are the owner.
+
 ## v1.11.10
 ### Fixed
 * Update Laravel to address [CVE-2024-52301](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
index 3dc9fc9596..0ed8b247c4 100644
--- a/app/Contracts/Repository/ApiKeyRepositoryInterface.php
+++ b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -12,18 +12,8 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
      */
     public function getAccountKeys(User $user): Collection;
 
-    /**
-     * Get all the application API keys that exist for a specific user.
-     */
-    public function getApplicationKeys(?User $user = null): Collection;
-
     /**
      * Delete an account API key from the panel for a specific user.
      */
     public function deleteAccountKey(User $user, string $identifier): int;
-
-    /**
-     * Delete an application API key from the panel for a specific user.
-     */
-    public function deleteApplicationKey(?User $user = null, string $identifier): int;
 }
diff --git a/app/Http/Controllers/Admin/ApiController.php b/app/Http/Controllers/Admin/ApiController.php
index 4a300f2205..a8f87bf536 100644
--- a/app/Http/Controllers/Admin/ApiController.php
+++ b/app/Http/Controllers/Admin/ApiController.php
@@ -11,7 +11,6 @@
 use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Api\KeyCreationService;
-use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
 use Pterodactyl\Http\Requests\Admin\Api\StoreApplicationApiKeyRequest;
 
 class ApiController extends Controller
@@ -21,7 +20,6 @@ class ApiController extends Controller
      */
     public function __construct(
         private AlertsMessageBag $alert,
-        private ApiKeyRepositoryInterface $repository,
         private KeyCreationService $keyCreationService,
     ) {
     }
@@ -32,7 +30,7 @@ public function __construct(
     public function index(Request $request): View
     {
         return view('admin.api.index', [
-            'keys' => $this->repository->getApplicationKeys(),
+            'keys' => ApiKey::query()->where('key_type', ApiKey::TYPE_APPLICATION)->get(),
         ]);
     }
 
@@ -78,7 +76,10 @@ public function store(StoreApplicationApiKeyRequest $request): RedirectResponse
      */
     public function delete(Request $request, string $identifier): Response
     {
-        $this->repository->deleteApplicationKey(null, $identifier);
+        ApiKey::query()
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->where('identifier', $identifier)
+            ->delete();
 
         return response('', 204);
     }
diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
index e44e7d6730..2be1a9111a 100644
--- a/app/Http/Controllers/Admin/NodeAutoDeployController.php
+++ b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -9,7 +9,6 @@
 use Pterodactyl\Http\Controllers\Controller;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Services\Api\KeyCreationService;
-use Pterodactyl\Repositories\Eloquent\ApiKeyRepository;
 
 class NodeAutoDeployController extends Controller
 {
@@ -17,7 +16,6 @@ class NodeAutoDeployController extends Controller
      * NodeAutoDeployController constructor.
      */
     public function __construct(
-        private ApiKeyRepository $repository,
         private Encrypter $encrypter,
         private KeyCreationService $keyCreationService,
     ) {
@@ -31,20 +29,10 @@ public function __construct(
      */
     public function __invoke(Request $request, Node $node): JsonResponse
     {
-        /** @var ApiKey|null $key */
-        $key = $this->repository->getApplicationKeys($request->user())
-            ->filter(function (ApiKey $key) {
-                if ($key->user->id != $request->user()->id) {
-                    return false;
-                }
-                foreach ($key->getAttributes() as $permission => $value) {
-                    if ($permission === 'r_nodes' && $value === 1) {
-                        return true;
-                    }
-                }
-
-                return false;
-            })
+        $key = ApiKey::query()
+            ->where('user_id', $request->user()->id)
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->where('r_nodes', 1)
             ->first();
 
         // We couldn't find a key that exists for this user with only permission for
diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
index 1399d91326..5a63514fe0 100644
--- a/app/Repositories/Eloquent/ApiKeyRepository.php
+++ b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -27,36 +27,6 @@ public function getAccountKeys(User $user): Collection
             ->get($this->getColumns());
     }
 
-    /**
-     * Get all the application API keys. If a user is provided, filter by that user.
-     */
-    public function getApplicationKeys(?User $user = null): Collection
-    {
-        $instance = $this->getBuilder()->where('key_type', ApiKey::TYPE_APPLICATION);
-
-        if ($user) {
-            $instance->where('user_id', $user->id);
-        }
-
-        return $instance->get($this->getColumns());
-    }
-
-    /**
-     * Delete an application API key. If a user is provided, ensure it belongs to them.
-     */
-    public function deleteApplicationKey(?User $user = null, string $identifier): int
-    {
-        $query = $this->getBuilder()
-            ->where('key_type', ApiKey::TYPE_APPLICATION)
-            ->where('identifier', $identifier);
-
-        if ($user) {
-            $query->where('user_id', $user->id);
-        }
-
-        return $query->delete();
-    }
-
     /**
      * Delete an account API key from the panel for a specific user.
      */
@@ -67,15 +37,4 @@ public function deleteAccountKey(User $user, string $identifier): int
             ->where('identifier', $identifier)
             ->delete();
     }
-
-    /**
-     * Delete an application API key from the panel.
-     */
-    public function deleteApplicationKey(string $identifier): int
-    {
-        return $this->getBuilder()
-            ->where('key_type', ApiKey::TYPE_APPLICATION)
-            ->where('identifier', $identifier)
-            ->delete();
-    }
 }
diff --git a/resources/views/admin/api/index.blade.php b/resources/views/admin/api/index.blade.php
index 9aa0a7e5c6..4658ee9c8e 100644
--- a/resources/views/admin/api/index.blade.php
+++ b/resources/views/admin/api/index.blade.php
@@ -35,10 +35,10 @@
                         @foreach($keys as $key)
                             <tr>
                                 <td><code>
-                                    @if(Auth::user()->id != $key->user->id)
-                                        {{ $key->identifier . "****" }}
-                                    @else
+                                    @if (Auth::user()->is($key->user))
                                         {{ $key->identifier . decrypt($key->token) }}
+                                    @else
+                                        {{ $key->identifier . '****' }}
                                     @endif
                                 </code></td>
                                 <td>{{ $key->memo }}</td>
@@ -110,4 +110,4 @@
             });
         });
     </script>
-@endsection
\ No newline at end of file
+@endsection