fix: allow API key from Authorization header for relabel endpoint

- Extract API key from Bearer token in Authorization header
- Fall back to CODEBUFF_API_KEY env var if header not provided
- Return 401 instead of 500 when no key available
- Allows admins to use their own API key without server config

Author: brandonkachen

web/src/app/api/admin/relabel-for-user/route.ts

@@ -112,15 +112,16 @@ export async function POST(req: NextRequest) {
       ? requestedLimit
       : DEFAULT_RELABEL_LIMIT
 
-  const apiKey = env.CODEBUFF_API_KEY
+  // Get API key from Authorization header (preferred) or fall back to env var
+  const apiKey = getApiKeyFromRequest(req) ?? env.CODEBUFF_API_KEY
   if (!apiKey) {
     return NextResponse.json(
       { 
-        error: 'CODEBUFF_API_KEY is not configured',
-        details: 'This endpoint now calls LLMs directly (backend was removed) and requires CODEBUFF_API_KEY to be set.',
-        hint: 'Add CODEBUFF_API_KEY to your environment variables. See .env.example for reference.',
+        error: 'API key required',
+        details: 'Provide an API key via Authorization header (Bearer token) or set CODEBUFF_API_KEY env var.',
+        hint: 'Visit /usage in the web app to create an API key.',
       },
-      { status: 500 },
+      { status: 401 },
     )
   }
 
@@ -535,6 +536,18 @@ function buildPromptContext(apiKey: string) {
   }
 }
 
+/**
+ * Extract API key from Authorization header (Bearer token)
+ */
+function getApiKeyFromRequest(req: NextRequest): string | null {
+  const authHeader = req.headers.get('Authorization')
+  if (!authHeader?.startsWith('Bearer ')) {
+    return null
+  }
+  const token = authHeader.slice(7).trim()
+  return token || null
+}
+
 async function ensureBigQuery() {
   if (!bigqueryReady) {
     bigqueryReady = setupBigQuery({ logger })