feat(api): add app listing endpoint#6491
Merged
Merged
Conversation
This was referenced Jun 18, 2026
Collaborator
Author
19 tasks
b11231d to
e2f1e95
Compare
2c3a04c to
07f034c
Compare
e2f1e95 to
3e476a4
Compare
07f034c to
2d983d3
Compare
This was referenced Jun 19, 2026
3e476a4 to
d11c4c6
Compare
2d983d3 to
41476b1
Compare
d11c4c6 to
a67c015
Compare
41476b1 to
2cb7c32
Compare
2cb7c32 to
dbc46ae
Compare
Flo4604
reviewed
Jun 25, 2026
ba1ab7f to
9360c70
Compare
Contributor
There was a problem hiding this comment.
✅ No new issues found.
Reviewed changes — since the prior pullfrog review (720e626), the ListAppsByProject query stopped embedding the full apps row; this run re-reviewed that delta (commit 9360c70).
sqlc.embed(apps)replaced withSELECT apps.*—pkg/db/queries/app_list_by_project.sqlno longer embeds, so the regeneratedListAppsByProjectreturns[]Appinstead of[]ListAppsByProjectRow(the.App-wrapper struct is gone fromapp_list_by_project.sql_generated.goandquerier_generated.go).- Handler updated in lockstep —
svc/api/routes/v2_apps_list_apps/handler.goreadsrow.ID/row.Name/row.ProjectIDetc. directly off the flattenedApprow; the cursor-pagination, RBAC, and 404-on-authz-failure logic are untouched.
The flattening is mechanically correct and self-consistent: the Scan targets and the handler field accesses both move off the .App wrapper together, and the response mapping is unchanged. This resolves Flo4604's inline question on the embed. The cursor logic flagged informationally in the initial review remains untouched.
@v0 or keep the SHA fresh with Dependabot | View workflow run | Using Claude Opus | 𝕏
9360c70 to
4790717
Compare
4790717 to
ac031f3
Compare
This was referenced Jun 29, 2026
chronark
approved these changes
Jul 1, 2026
Flo4604
approved these changes
Jul 1, 2026
2 tasks
This was referenced Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Important
Unkey is not accepting external pull requests at this time. Pull requests from people outside the Unkey team will not be reviewed or merged.
What does this PR do?
Adds the
POST /v2/apps.listAppsendpoint, which returns a cursor-paginated list of apps belonging to a given project.The SQL query backing this endpoint was updated to support cursor-based pagination: it now filters by
id >= id_cursor, orders byid ASC, and accepts aLIMITparameter. Previously the query ordered bycreated_atwith no pagination support.The handler:
project.*.read_apporproject.<project_id>.read_apppermissions, returning a 404 (rather than 403) on authorization failure to avoid leaking project existence to unauthorized callerslimit + 1rows to determine whether more pages exist, then trims the result and sets thecursorandhasMorefields in the pagination responseOpenAPI schemas and the generated YAML were updated to include
V2AppsListAppsRequestBody(withprojectId,limit, andcursorfields) andV2AppsListAppsResponseBody(withdata,meta, andpaginationfields). Speakeasy cursor pagination metadata is included.Tests cover:
projectId, out-of-rangelimitType of change
How should this be tested?
POST /v2/apps.listAppswith a valid root key and aprojectIdthat belongs to your workspace; verify a 200 response with the correct apps and pagination fieldslimit: 2against a project with more than 2 apps and follow the cursor across pages; verify all apps are returned exactly once and the final page hashasMore: falseand no cursorread_apppermission; verify a 404 is returned and no project or app IDs are present in the response bodyprojectId(too short, invalid characters, too long) or an out-of-rangelimit; verify a 400 validation error is returnedsvc/api/routes/v2_apps_list_apps/Checklist
Required
pnpm buildpnpm fmtmise run fmtconsole.logsgit pull origin mainAppreciated