pterodactyl · MackenzieMolloy · Jul 31, 2024 · Jul 31, 2024 · Dec 26, 2025 · Jan 4, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Administrators are now listed first when viewing a list of all users on the system.
 * Websocket no longer endlessly polls when connection issues are encountered, or when Wings disconnects the user for a reason that should not be re-attempted.
 
+### Added
+* Administrators can now view all of the application API keys that have been created. They cannot view the full key unless they are the owner.
+
 ## v1.11.10
 ### Fixed
 * Update Laravel to address [CVE-2024-52301](https://github.com/advisories/GHSA-gv7v-rgg6-548h)

diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -12,18 +12,8 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
      */
     public function getAccountKeys(User $user): Collection;
 
-    /**
-     * Get all the application API keys that exist for a specific user.
-     */
-    public function getApplicationKeys(User $user): Collection;
-
     /**
      * Delete an account API key from the panel for a specific user.
      */
     public function deleteAccountKey(User $user, string $identifier): int;
-
-    /**
-     * Delete an application API key from the panel for a specific user.
-     */
-    public function deleteApplicationKey(User $user, string $identifier): int;
 }
diff --git a/app/Http/Controllers/Admin/ApiController.php b/app/Http/Controllers/Admin/ApiController.php
@@ -11,7 +11,6 @@
 use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Api\KeyCreationService;
-use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
 use Pterodactyl\Http\Requests\Admin\Api\StoreApplicationApiKeyRequest;
 
 class ApiController extends Controller
@@ -21,7 +20,6 @@ class ApiController extends Controller
      */
     public function __construct(
         private AlertsMessageBag $alert,
-        private ApiKeyRepositoryInterface $repository,
         private KeyCreationService $keyCreationService,
     ) {
     }
@@ -32,7 +30,7 @@ public function __construct(
     public function index(Request $request): View
     {
         return view('admin.api.index', [
-            'keys' => $this->repository->getApplicationKeys($request->user()),
+            'keys' => ApiKey::query()->where('key_type', ApiKey::TYPE_APPLICATION)->get(),
         ]);
     }
 
@@ -78,7 +76,10 @@ public function store(StoreApplicationApiKeyRequest $request): RedirectResponse
      */
     public function delete(Request $request, string $identifier): Response
     {
-        $this->repository->deleteApplicationKey($request->user(), $identifier);
+        ApiKey::query()
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->where('identifier', $identifier)
+            ->delete();
 
         return response('', 204);
     }

diff --git a/app/Http/Controllers/Admin/NodeAutoDeployController.php b/app/Http/Controllers/Admin/NodeAutoDeployController.php
@@ -9,15 +9,13 @@
 use Pterodactyl\Http\Controllers\Controller;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Services\Api\KeyCreationService;
-use Pterodactyl\Repositories\Eloquent\ApiKeyRepository;
 
 class NodeAutoDeployController extends Controller
 {
     /**
      * NodeAutoDeployController constructor.
      */
     public function __construct(
-        private ApiKeyRepository $repository,
         private Encrypter $encrypter,
         private KeyCreationService $keyCreationService,
     ) {
@@ -31,17 +29,10 @@ public function __construct(
      */
     public function __invoke(Request $request, Node $node): JsonResponse
     {
-        /** @var ApiKey|null $key */
-        $key = $this->repository->getApplicationKeys($request->user())
-            ->filter(function (ApiKey $key) {
-                foreach ($key->getAttributes() as $permission => $value) {
-                    if ($permission === 'r_nodes' && $value === 1) {
-                        return true;
-                    }
-                }
-
-                return false;
-            })
+        $key = ApiKey::query()
+            ->where('user_id', $request->user()->id)
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->where('r_nodes', 1)
             ->first();
 
         // We couldn't find a key that exists for this user with only permission for

diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -27,16 +27,6 @@ public function getAccountKeys(User $user): Collection
             ->get($this->getColumns());
     }
 
-    /**
-     * Get all the application API keys that exist for a specific user.
-     */
-    public function getApplicationKeys(User $user): Collection
-    {
-        return $this->getBuilder()->where('user_id', $user->id)
-            ->where('key_type', ApiKey::TYPE_APPLICATION)
-            ->get($this->getColumns());
-    }
-
     /**
      * Delete an account API key from the panel for a specific user.
      */
@@ -47,15 +37,4 @@ public function deleteAccountKey(User $user, string $identifier): int
             ->where('identifier', $identifier)
             ->delete();
     }
-
-    /**
-     * Delete an application API key from the panel for a specific user.
-     */
-    public function deleteApplicationKey(User $user, string $identifier): int
-    {
-        return $this->getBuilder()->where('user_id', $user->id)
-            ->where('key_type', ApiKey::TYPE_APPLICATION)
-            ->where('identifier', $identifier)
-            ->delete();
-    }
 }
diff --git a/resources/views/admin/api/index.blade.php b/resources/views/admin/api/index.blade.php
@@ -29,11 +29,18 @@
                             <th>Memo</th>
                             <th>Last Used</th>
                             <th>Created</th>
+                            <th>Created by</th>
                             <th></th>
                         </tr>
                         @foreach($keys as $key)
                             <tr>
-                                <td><code>{{ $key->identifier }}{{ decrypt($key->token) }}</code></td>
+                                <td><code>
+                                    @if (Auth::user()->is($key->user))
+                                        {{ $key->identifier . decrypt($key->token) }}
+                                    @else
+                                        {{ $key->identifier . '****' }}
+                                    @endif
+                                </code></td>
                                 <td>{{ $key->memo }}</td>
                                 <td>
                                     @if(!is_null($key->last_used_at))
@@ -43,6 +50,9 @@
                                     @endif
                                 </td>
                                 <td>@datetimeHuman($key->created_at)</td>
+                                <td>
+                                    <a href="{{ route('admin.users.view', $key->user->id) }}">{{ $key->user->username }}</a>
+                                </td>
                                 <td>
                                     <a href="#" data-action="revoke-key" data-attr="{{ $key->identifier }}">
                                         <i class="fa fa-trash-o text-danger"></i>