feat(auth): email verification login and personal access tokens

* feat(auth): add email verification login flow with 401 auto-redirect Replace the old OAuth-based login with email verification codes: - Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service - Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode - SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login - Fix login button staying disabled due to global isLoading state Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup - VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010) - onUnauthorized: skip redirect if already on /login to prevent infinite loops - SendCode: best-effort cleanup of expired verification codes older than 1 hour Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add master verification code for non-production environments Allow code "888888" to bypass email verification in non-production environments to simplify development and testing workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add personal access tokens for CLI and API authentication Add full-stack PAT support: users create tokens in Settings, CLI authenticates via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware extended to accept both JWTs and PATs (distinguished by `mul_` prefix). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:32:30 +08:00 · 2026-03-26 14:32:30 +08:00 · 5c9c2f69fd
commit 5c9c2f69fd
parent a997bcfec0
42 changed files with 1889 additions and 311 deletions
--- a/server/internal/handler/auth.go
+++ b/server/internal/handler/auth.go
@ -2,9 +2,14 @@ package handler

 import (
 	"context"
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/binary"
 	"encoding/json"
+	"fmt"
 	"log/slog"
 	"net/http"
+	"os"
 	"strings"
 	"time"

@ -35,16 +40,20 @@ func userToResponse(u db.User) UserResponse {
 	}
 }

-type LoginRequest struct {
-	Email string `json:"email"`
-	Name  string `json:"name"`
-}
-
 type LoginResponse struct {
 	Token string       `json:"token"`
 	User  UserResponse `json:"user"`
 }

+type SendCodeRequest struct {
+	Email string `json:"email"`
+}
+
+type VerifyCodeRequest struct {
+	Email string `json:"email"`
+	Code  string `json:"code"`
+}
+
 func defaultWorkspaceName(user db.User) string {
 	name := strings.TrimSpace(user.Name)
 	if name == "" {
@ -150,63 +159,16 @@ func (h *Handler) ensureUserWorkspace(ctx context.Context, user db.User) error {
 	return tx.Commit(ctx)
 }

-func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
-	var req LoginRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		writeError(w, http.StatusBadRequest, "invalid request body")
-		return
+func generateCode() (string, error) {
+	var buf [4]byte
+	if _, err := rand.Read(buf[:]); err != nil {
+		return "", err
 	}
+	n := binary.BigEndian.Uint32(buf[:]) % 1000000
+	return fmt.Sprintf("%06d", n), nil
+}

-	req.Email = strings.ToLower(strings.TrimSpace(req.Email))
-	req.Name = strings.TrimSpace(req.Name)
-
-	if req.Email == "" {
-		writeError(w, http.StatusBadRequest, "email is required")
-		return
-	}
-
-	// Try to find existing user
-	user, err := h.Queries.GetUserByEmail(r.Context(), req.Email)
-	if err != nil {
-		if !isNotFound(err) {
-			slog.Warn("login failed", append(logger.RequestAttrs(r), "error", err, "email", req.Email)...)
-			writeError(w, http.StatusInternalServerError, "failed to load user")
-			return
-		}
-
-		// Create new user
-		name := req.Name
-		if name == "" {
-			name = req.Email
-		}
-		user, err = h.Queries.CreateUser(r.Context(), db.CreateUserParams{
-			Name:  name,
-			Email: req.Email,
-		})
-		if err != nil {
-			slog.Warn("login failed", append(logger.RequestAttrs(r), "error", err, "email", req.Email)...)
-			writeError(w, http.StatusInternalServerError, "failed to create user: "+err.Error())
-			return
-		}
-		slog.Info("new user created", append(logger.RequestAttrs(r), "user_id", uuidToString(user.ID), "email", user.Email)...)
-	} else if req.Name != "" && req.Name != user.Name {
-		user, err = h.Queries.UpdateUser(r.Context(), db.UpdateUserParams{
-			ID:   user.ID,
-			Name: req.Name,
-		})
-		if err != nil {
-			writeError(w, http.StatusInternalServerError, "failed to update user")
-			return
-		}
-	}
-
-	if err := h.ensureUserWorkspace(r.Context(), user); err != nil {
-		slog.Warn("login failed", append(logger.RequestAttrs(r), "error", err, "email", req.Email)...)
-		writeError(w, http.StatusInternalServerError, "failed to provision workspace")
-		return
-	}
-
-	// Generate JWT
+func (h *Handler) issueJWT(user db.User) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"sub":   uuidToString(user.ID),
 		"email": user.Email,
@ -214,8 +176,122 @@ func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
 		"exp":   time.Now().Add(72 * time.Hour).Unix(),
 		"iat":   time.Now().Unix(),
 	})
+	return token.SignedString(auth.JWTSecret())
+}

-	tokenString, err := token.SignedString(auth.JWTSecret())
+func (h *Handler) findOrCreateUser(ctx context.Context, email string) (db.User, error) {
+	user, err := h.Queries.GetUserByEmail(ctx, email)
+	if err != nil {
+		if !isNotFound(err) {
+			return db.User{}, err
+		}
+		name := email
+		if at := strings.Index(email, "@"); at > 0 {
+			name = email[:at]
+		}
+		user, err = h.Queries.CreateUser(ctx, db.CreateUserParams{
+			Name:  name,
+			Email: email,
+		})
+		if err != nil {
+			return db.User{}, err
+		}
+	}
+	return user, nil
+}
+
+func (h *Handler) SendCode(w http.ResponseWriter, r *http.Request) {
+	var req SendCodeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	email := strings.ToLower(strings.TrimSpace(req.Email))
+	if email == "" {
+		writeError(w, http.StatusBadRequest, "email is required")
+		return
+	}
+
+	// Rate limit: max 1 code per 60 seconds per email
+	latest, err := h.Queries.GetLatestCodeByEmail(r.Context(), email)
+	if err == nil && time.Since(latest.CreatedAt.Time) < 60*time.Second {
+		writeError(w, http.StatusTooManyRequests, "please wait before requesting another code")
+		return
+	}
+
+	code, err := generateCode()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to generate code")
+		return
+	}
+
+	_, err = h.Queries.CreateVerificationCode(r.Context(), db.CreateVerificationCodeParams{
+		Email:     email,
+		Code:      code,
+		ExpiresAt: pgtype.Timestamptz{Time: time.Now().Add(10 * time.Minute), Valid: true},
+	})
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to store verification code")
+		return
+	}
+
+	if err := h.EmailService.SendVerificationCode(email, code); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to send verification code")
+		return
+	}
+
+	// Best-effort cleanup of expired codes
+	_ = h.Queries.DeleteExpiredVerificationCodes(r.Context())
+
+	writeJSON(w, http.StatusOK, map[string]string{"message": "Verification code sent"})
+}
+
+func (h *Handler) VerifyCode(w http.ResponseWriter, r *http.Request) {
+	var req VerifyCodeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	email := strings.ToLower(strings.TrimSpace(req.Email))
+	code := strings.TrimSpace(req.Code)
+
+	if email == "" || code == "" {
+		writeError(w, http.StatusBadRequest, "email and code are required")
+		return
+	}
+
+	dbCode, err := h.Queries.GetLatestVerificationCode(r.Context(), email)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid or expired code")
+		return
+	}
+
+	isMasterCode := code == "888888" && os.Getenv("APP_ENV") != "production"
+	if !isMasterCode && subtle.ConstantTimeCompare([]byte(code), []byte(dbCode.Code)) != 1 {
+		_ = h.Queries.IncrementVerificationCodeAttempts(r.Context(), dbCode.ID)
+		writeError(w, http.StatusBadRequest, "invalid or expired code")
+		return
+	}
+
+	if err := h.Queries.MarkVerificationCodeUsed(r.Context(), dbCode.ID); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to verify code")
+		return
+	}
+
+	user, err := h.findOrCreateUser(r.Context(), email)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to create user")
+		return
+	}
+
+	if err := h.ensureUserWorkspace(r.Context(), user); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to provision workspace")
+		return
+	}
+
+	tokenString, err := h.issueJWT(user)
 	if err != nil {
 		slog.Warn("login failed", append(logger.RequestAttrs(r), "error", err, "email", req.Email)...)
 		writeError(w, http.StatusInternalServerError, "failed to generate token")
--- a/server/internal/handler/handler.go
+++ b/server/internal/handler/handler.go
@ -27,27 +27,29 @@ type dbExecutor interface {
 }

 type Handler struct {
-	Queries     *db.Queries
-	DB          dbExecutor
-	TxStarter   txStarter
-	Hub         *realtime.Hub
-	Bus         *events.Bus
-	TaskService *service.TaskService
+	Queries      *db.Queries
+	DB           dbExecutor
+	TxStarter    txStarter
+	Hub          *realtime.Hub
+	Bus          *events.Bus
+	TaskService  *service.TaskService
+	EmailService *service.EmailService
 }

-func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus) *Handler {
+func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus, emailService *service.EmailService) *Handler {
 	var executor dbExecutor
 	if candidate, ok := txStarter.(dbExecutor); ok {
 		executor = candidate
 	}

 	return &Handler{
-		Queries:     queries,
-		DB:          executor,
-		TxStarter:   txStarter,
-		Hub:         hub,
-		Bus:         bus,
-		TaskService: service.NewTaskService(queries, hub, bus),
+		Queries:      queries,
+		DB:           executor,
+		TxStarter:    txStarter,
+		Hub:          hub,
+		Bus:          bus,
+		TaskService:  service.NewTaskService(queries, hub, bus),
+		EmailService: emailService,
 	}
 }

--- a/server/internal/handler/handler_test.go
+++ b/server/internal/handler/handler_test.go
@ -15,6 +15,7 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/multica-ai/multica/server/internal/events"
 	"github.com/multica-ai/multica/server/internal/realtime"
+	"github.com/multica-ai/multica/server/internal/service"
 	db "github.com/multica-ai/multica/server/pkg/db/generated"
 )

@ -51,7 +52,8 @@ func TestMain(m *testing.M) {
 	hub := realtime.NewHub()
 	go hub.Run()
 	bus := events.New()
-	testHandler = New(queries, pool, hub, bus)
+	emailSvc := service.NewEmailService()
+	testHandler = New(queries, pool, hub, bus, emailSvc)
 	testPool = pool

 	testUserID, testWorkspaceID, err = setupHandlerTestFixture(ctx, pool)
@ -360,33 +362,65 @@ func TestWorkspaceCRUD(t *testing.T) {
 	}
 }

-func TestAuthLogin(t *testing.T) {
+func TestSendCode(t *testing.T) {
 	w := httptest.NewRecorder()
-	body := map[string]string{"email": "test-handler@multica.ai", "name": "Test User"}
+	body := map[string]string{"email": "sendcode-test@multica.ai"}
 	var buf bytes.Buffer
 	json.NewEncoder(&buf).Encode(body)
-	req := httptest.NewRequest("POST", "/auth/login", &buf)
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
 	req.Header.Set("Content-Type", "application/json")
-	testHandler.Login(w, req)
+	testHandler.SendCode(w, req)
 	if w.Code != http.StatusOK {
-		t.Fatalf("Login: expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("SendCode: expected 200, got %d: %s", w.Code, w.Body.String())
 	}

-	var resp LoginResponse
+	var resp map[string]string
 	json.NewDecoder(w.Body).Decode(&resp)
-	if resp.Token == "" {
-		t.Fatal("Login: expected non-empty token")
+	if resp["message"] == "" {
+		t.Fatal("SendCode: expected non-empty message")
 	}
-	if resp.User.Email != "test-handler@multica.ai" {
-		t.Fatalf("Login: expected email 'test-handler@multica.ai', got '%s'", resp.User.Email)
+
+	t.Cleanup(func() {
+		testPool.Exec(context.Background(), `DELETE FROM verification_code WHERE email = $1`, "sendcode-test@multica.ai")
+	})
+}
+
+func TestSendCodeRateLimit(t *testing.T) {
+	const email = "ratelimit-test@multica.ai"
+	t.Cleanup(func() {
+		testPool.Exec(context.Background(), `DELETE FROM verification_code WHERE email = $1`, email)
+	})
+
+	// First request should succeed
+	w := httptest.NewRecorder()
+	body := map[string]string{"email": email}
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(body)
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.SendCode(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("SendCode (first): expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	// Second request within 60s should be rate limited
+	w = httptest.NewRecorder()
+	buf.Reset()
+	json.NewEncoder(&buf).Encode(body)
+	req = httptest.NewRequest("POST", "/auth/send-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.SendCode(w, req)
+	if w.Code != http.StatusTooManyRequests {
+		t.Fatalf("SendCode (second): expected 429, got %d: %s", w.Code, w.Body.String())
 	}
 }

-func TestAuthLoginCreatesWorkspaceForNewUser(t *testing.T) {
-	const email = "new-handler-login@multica.ai"
+func TestVerifyCode(t *testing.T) {
+	const email = "verify-test@multica.ai"
 	ctx := context.Background()

 	t.Cleanup(func() {
+		testPool.Exec(ctx, `DELETE FROM verification_code WHERE email = $1`, email)
 		user, err := testHandler.Queries.GetUserByEmail(ctx, email)
 		if err == nil {
 			workspaces, listErr := testHandler.Queries.ListWorkspaces(ctx, user.ID)
@ -396,21 +430,166 @@ func TestAuthLoginCreatesWorkspaceForNewUser(t *testing.T) {
 				}
 			}
 		}
-		_, _ = testPool.Exec(ctx, `DELETE FROM "user" WHERE email = $1`, email)
+		testPool.Exec(ctx, `DELETE FROM "user" WHERE email = $1`, email)
 	})

-	_, _ = testPool.Exec(ctx, `DELETE FROM "user" WHERE email = $1`, email)
-
+	// Send code first
 	w := httptest.NewRecorder()
-	body := map[string]string{"email": email, "name": "Workspace Owner"}
 	var buf bytes.Buffer
-	json.NewEncoder(&buf).Encode(body)
-	req := httptest.NewRequest("POST", "/auth/login", &buf)
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email})
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
 	req.Header.Set("Content-Type", "application/json")
-
-	testHandler.Login(w, req)
+	testHandler.SendCode(w, req)
 	if w.Code != http.StatusOK {
-		t.Fatalf("Login: expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("SendCode: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	// Read code from DB
+	dbCode, err := testHandler.Queries.GetLatestVerificationCode(ctx, email)
+	if err != nil {
+		t.Fatalf("GetLatestVerificationCode: %v", err)
+	}
+
+	// Verify with correct code
+	w = httptest.NewRecorder()
+	buf.Reset()
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email, "code": dbCode.Code})
+	req = httptest.NewRequest("POST", "/auth/verify-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.VerifyCode(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("VerifyCode: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp LoginResponse
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp.Token == "" {
+		t.Fatal("VerifyCode: expected non-empty token")
+	}
+	if resp.User.Email != email {
+		t.Fatalf("VerifyCode: expected email '%s', got '%s'", email, resp.User.Email)
+	}
+}
+
+func TestVerifyCodeWrongCode(t *testing.T) {
+	const email = "wrong-code-test@multica.ai"
+	ctx := context.Background()
+
+	t.Cleanup(func() {
+		testPool.Exec(ctx, `DELETE FROM verification_code WHERE email = $1`, email)
+	})
+
+	// Send code
+	w := httptest.NewRecorder()
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email})
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.SendCode(w, req)
+
+	// Verify with wrong code
+	w = httptest.NewRecorder()
+	buf.Reset()
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email, "code": "000000"})
+	req = httptest.NewRequest("POST", "/auth/verify-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.VerifyCode(w, req)
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("VerifyCode (wrong code): expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestVerifyCodeBruteForceProtection(t *testing.T) {
+	const email = "bruteforce-test@multica.ai"
+	ctx := context.Background()
+
+	t.Cleanup(func() {
+		testPool.Exec(ctx, `DELETE FROM verification_code WHERE email = $1`, email)
+	})
+
+	// Send code
+	w := httptest.NewRecorder()
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email})
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.SendCode(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("SendCode: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	// Read actual code so we can try it after lockout
+	dbCode, err := testHandler.Queries.GetLatestVerificationCode(ctx, email)
+	if err != nil {
+		t.Fatalf("GetLatestVerificationCode: %v", err)
+	}
+
+	// Exhaust all 5 attempts with wrong codes
+	for i := 0; i < 5; i++ {
+		w = httptest.NewRecorder()
+		buf.Reset()
+		json.NewEncoder(&buf).Encode(map[string]string{"email": email, "code": "000000"})
+		req = httptest.NewRequest("POST", "/auth/verify-code", &buf)
+		req.Header.Set("Content-Type", "application/json")
+		testHandler.VerifyCode(w, req)
+		if w.Code != http.StatusBadRequest {
+			t.Fatalf("attempt %d: expected 400, got %d", i+1, w.Code)
+		}
+	}
+
+	// Now even the correct code should be rejected (code is locked out)
+	w = httptest.NewRecorder()
+	buf.Reset()
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email, "code": dbCode.Code})
+	req = httptest.NewRequest("POST", "/auth/verify-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.VerifyCode(w, req)
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("after lockout: expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestVerifyCodeCreatesWorkspace(t *testing.T) {
+	const email = "workspace-verify-test@multica.ai"
+	ctx := context.Background()
+
+	t.Cleanup(func() {
+		testPool.Exec(ctx, `DELETE FROM verification_code WHERE email = $1`, email)
+		user, err := testHandler.Queries.GetUserByEmail(ctx, email)
+		if err == nil {
+			workspaces, listErr := testHandler.Queries.ListWorkspaces(ctx, user.ID)
+			if listErr == nil {
+				for _, workspace := range workspaces {
+					_ = testHandler.Queries.DeleteWorkspace(ctx, workspace.ID)
+				}
+			}
+		}
+		testPool.Exec(ctx, `DELETE FROM "user" WHERE email = $1`, email)
+	})
+
+	// Send code
+	w := httptest.NewRecorder()
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email})
+	req := httptest.NewRequest("POST", "/auth/send-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.SendCode(w, req)
+
+	// Read code from DB
+	dbCode, err := testHandler.Queries.GetLatestVerificationCode(ctx, email)
+	if err != nil {
+		t.Fatalf("GetLatestVerificationCode: %v", err)
+	}
+
+	// Verify
+	w = httptest.NewRecorder()
+	buf.Reset()
+	json.NewEncoder(&buf).Encode(map[string]string{"email": email, "code": dbCode.Code})
+	req = httptest.NewRequest("POST", "/auth/verify-code", &buf)
+	req.Header.Set("Content-Type", "application/json")
+	testHandler.VerifyCode(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("VerifyCode: expected 200, got %d: %s", w.Code, w.Body.String())
 	}

 	user, err := testHandler.Queries.GetUserByEmail(ctx, email)
@ -428,9 +607,6 @@ func TestAuthLoginCreatesWorkspaceForNewUser(t *testing.T) {
 	if !strings.Contains(workspaces[0].Name, "Workspace") {
 		t.Fatalf("expected auto-created workspace name, got %q", workspaces[0].Name)
 	}
-	if workspaces[0].Slug == "" {
-		t.Fatal("expected auto-created workspace slug")
-	}
 }

 func TestDaemonRegisterMissingWorkspaceReturns404(t *testing.T) {
--- a/server/internal/handler/personal_access_token.go
+++ b/server/internal/handler/personal_access_token.go
@ -0,0 +1,132 @@
+package handler
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+	"github.com/multica-ai/multica/server/internal/auth"
+	db "github.com/multica-ai/multica/server/pkg/db/generated"
+)
+
+type PersonalAccessTokenResponse struct {
+	ID         string  `json:"id"`
+	Name       string  `json:"name"`
+	Prefix     string  `json:"token_prefix"`
+	ExpiresAt  *string `json:"expires_at"`
+	LastUsedAt *string `json:"last_used_at"`
+	CreatedAt  string  `json:"created_at"`
+}
+
+type CreatePATResponse struct {
+	PersonalAccessTokenResponse
+	Token string `json:"token"`
+}
+
+func patToResponse(pat db.PersonalAccessToken) PersonalAccessTokenResponse {
+	return PersonalAccessTokenResponse{
+		ID:         uuidToString(pat.ID),
+		Name:       pat.Name,
+		Prefix:     pat.TokenPrefix,
+		ExpiresAt:  timestampToPtr(pat.ExpiresAt),
+		LastUsedAt: timestampToPtr(pat.LastUsedAt),
+		CreatedAt:  timestampToString(pat.CreatedAt),
+	}
+}
+
+type CreatePATRequest struct {
+	Name         string `json:"name"`
+	ExpiresInDays *int  `json:"expires_in_days"`
+}
+
+func (h *Handler) CreatePersonalAccessToken(w http.ResponseWriter, r *http.Request) {
+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	var req CreatePATRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+	if req.Name == "" {
+		writeError(w, http.StatusBadRequest, "name is required")
+		return
+	}
+
+	rawToken, err := auth.GeneratePATToken()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to generate token")
+		return
+	}
+
+	var expiresAt pgtype.Timestamptz
+	if req.ExpiresInDays != nil && *req.ExpiresInDays > 0 {
+		expiresAt = pgtype.Timestamptz{
+			Time:  time.Now().Add(time.Duration(*req.ExpiresInDays) * 24 * time.Hour),
+			Valid: true,
+		}
+	}
+
+	prefix := rawToken
+	if len(prefix) > 12 {
+		prefix = prefix[:12]
+	}
+
+	pat, err := h.Queries.CreatePersonalAccessToken(r.Context(), db.CreatePersonalAccessTokenParams{
+		UserID:    parseUUID(userID),
+		Name:      req.Name,
+		TokenHash: auth.HashToken(rawToken),
+		TokenPrefix: prefix,
+		ExpiresAt: expiresAt,
+	})
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to create token")
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, CreatePATResponse{
+		PersonalAccessTokenResponse: patToResponse(pat),
+		Token:                       rawToken,
+	})
+}
+
+func (h *Handler) ListPersonalAccessTokens(w http.ResponseWriter, r *http.Request) {
+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	pats, err := h.Queries.ListPersonalAccessTokensByUser(r.Context(), parseUUID(userID))
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to list tokens")
+		return
+	}
+
+	resp := make([]PersonalAccessTokenResponse, len(pats))
+	for i, pat := range pats {
+		resp[i] = patToResponse(pat)
+	}
+	writeJSON(w, http.StatusOK, resp)
+}
+
+func (h *Handler) RevokePersonalAccessToken(w http.ResponseWriter, r *http.Request) {
+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	id := chi.URLParam(r, "id")
+	if err := h.Queries.RevokePersonalAccessToken(r.Context(), db.RevokePersonalAccessTokenParams{
+		ID:     parseUUID(id),
+		UserID: parseUUID(userID),
+	}); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to revoke token")
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}