Skip to content

Plan: Remove deprecated ADMIN_API_KEY/X-Admin-Key artifacts

Goal

Remove all traces of the deprecated ADMIN_API_KEY and X-Admin-Key from the backend to ensure JWT role auth is the exclusive admin authentication path.

Scope

  1. Remove ADMIN_API_KEY from environment files (.env.example, render.yaml) and the Python config (app/core/config.py).
  2. Remove any references to X-Admin-Key in Postman testing configs and documentation.
  3. Update all architecture, runbook, and access control documentation to indicate that JWT is the sole supported admin authentication method.

Verification

  • Running backend tests should not fail due to missing ADMIN_API_KEY.
  • Documentation and code grep for ADMIN_API_KEY and X-Admin-Key should yield no occurrences outside of specific historical ADRs (where it should be marked as completely removed).