@@ -9,7 +9,7 @@ import { maskToken } from "@/lib/maskToken.js";
99import { getOrgProjectsOldestFirst } from "@/lib/sso-default-projects.js" ;
1010
1111import { logAuditEvent } from "@llmgateway/audit" ;
12- import { and , db , eq , shortid , tables } from "@llmgateway/db" ;
12+ import { and , db , eq , isNull , shortid , tables } from "@llmgateway/db" ;
1313import { getApiKeyFingerprint } from "@llmgateway/shared/api-key-hash" ;
1414
1515import type { ServerTypes } from "@/vars.js" ;
@@ -19,6 +19,12 @@ export const sso = new OpenAPIHono<ServerTypes>();
1919
2020const apiUrl = getApiBaseUrl ( ) ;
2121
22+ // Default per-developer active API key cap seeded when an org first wires up
23+ // SSO. Developers are provisioned in bulk via SCIM/SSO, so give them a sane
24+ // baseline that admins can still override org-wide (default developer budget)
25+ // or per member.
26+ const DEFAULT_SSO_DEVELOPER_MAX_API_KEYS = 3 ;
27+
2228async function assertEnterpriseOrgAccess (
2329 userId : string ,
2430 organizationId : string ,
@@ -311,6 +317,19 @@ sso.openapi(register, async (c) => {
311317 createdAt : tables . ssoProvider . createdAt ,
312318 } ) ;
313319
320+ // Seed a reasonable default per-developer API key cap for the org. Only set
321+ // it when the org hasn't already configured its own default developer budget,
322+ // so we never clobber an explicit admin choice.
323+ await db
324+ . update ( tables . organization )
325+ . set ( { defaultDeveloperMaxApiKeys : DEFAULT_SSO_DEVELOPER_MAX_API_KEYS } )
326+ . where (
327+ and (
328+ eq ( tables . organization . id , organizationId ) ,
329+ isNull ( tables . organization . defaultDeveloperMaxApiKeys ) ,
330+ ) ,
331+ ) ;
332+
314333 await logAuditEvent ( {
315334 organizationId,
316335 userId : user . id ,
0 commit comments