airweave-ai · orhanrauf · Oct 28, 2025 · Oct 28, 2025
diff --git a/backend/airweave/api/v1/endpoints/organizations.py b/backend/airweave/api/v1/endpoints/organizations.py
@@ -694,9 +694,10 @@ async def _notify_donke_signup(
         # Simple HTTP call to Donke (uses Azure app key)
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/notify-signup?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/notify-signup",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": organization.name,

diff --git a/backend/airweave/billing/webhook_handler.py b/backend/airweave/billing/webhook_handler.py
@@ -941,9 +941,10 @@ async def _notify_donke_subscription(
     try:
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/notify-subscription?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/notify-subscription",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": org.name,
@@ -1012,9 +1013,10 @@ async def _send_team_welcome_email(
         # Call Donke to send the welcome email
         async with httpx.AsyncClient() as client:
             await client.post(
-                f"{settings.DONKE_URL}/api/send-team-welcome-email?code={settings.DONKE_API_KEY}",
+                f"{settings.DONKE_URL}/api/send-team-welcome-email",
                 headers={
                     "Content-Type": "application/json",
+                    "x-functions-key": settings.DONKE_API_KEY,
                 },
                 json={
                     "organization_name": org.name,

diff --git a/backend/airweave/crud/crud_api_key.py b/backend/airweave/crud/crud_api_key.py
@@ -133,7 +133,7 @@ async def get_by_key(self, db: AsyncSession, *, key: str) -> Optional[APIKey]:
         for api_key in api_keys:
             try:
                 decrypted_data = credentials.decrypt(api_key.encrypted_key)
-                if decrypted_data["key"] == key:
+                if secrets.compare_digest(decrypted_data["key"], key):
                     # Check expiration
                     if api_key.expiration_date < utc_now_naive():
                         raise PermissionException("API key has expired")

diff --git a/backend/airweave/crud/crud_connection_init_session.py b/backend/airweave/crud/crud_connection_init_session.py
@@ -4,6 +4,7 @@
 (e.g., auto-injected audit keys) for ConnectionInitSession to avoid TypeError.
 """
 
+import secrets
 from typing import Any, Dict, Optional
 from uuid import UUID
 
@@ -127,8 +128,10 @@ async def get_by_oauth_token_no_auth(
                 f"Session {session.id}: overrides={session.overrides}, "
                 f"has oauth_token={oauth_token_value}"
             )
-            # Match manually
-            if session.overrides and session.overrides.get("oauth_token") == oauth_token:
+            # Match manually using constant-time comparison
+            if session.overrides and secrets.compare_digest(
+                session.overrides.get("oauth_token", ""), oauth_token
+            ):
                 logger.debug(f"Found matching session: {session.id}")
                 return session