coder
diff --git a/‎coderd/apidoc/docs.go
+72 b/‎coderd/apidoc/docs.go
+72
diff --git a/‎coderd/apidoc/swagger.json
+64 b/‎coderd/apidoc/swagger.json
+64
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+7 b/‎coderd/database/dbauthz/dbauthz.go
+7
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+4 b/‎coderd/database/dbauthz/dbauthz_test.go
+4
diff --git a/‎coderd/database/dbmem/dbmem.go
+17 b/‎coderd/database/dbmem/dbmem.go
+17
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
+7 b/‎coderd/database/dbmetrics/dbmetrics.go
+7
diff --git a/‎coderd/database/dbmock/dbmock.go
+15 b/‎coderd/database/dbmock/dbmock.go
+15
diff --git a/‎coderd/database/querier.go
+1 b/‎coderd/database/querier.go
+1
diff --git a/‎coderd/database/queries.sql.go
+38 b/‎coderd/database/queries.sql.go
+38
diff --git a/‎coderd/database/queries/crypto_keys.sql
+7 b/‎coderd/database/queries/crypto_keys.sql
+7
diff --git a/‎docs/reference/api/schemas.md
+60 b/‎docs/reference/api/schemas.md
+60
diff --git a/‎enterprise/coderd/coderd.go
+1 b/‎enterprise/coderd/coderd.go
+1
@@ -1405,6 +1405,13 @@ func (q *querier) GetCryptoKeys(ctx context.Context) ([]database.CryptoKey, erro
 	return q.db.GetCryptoKeys(ctx)
 }
 
+func (q *querier) GetCryptoKeysByFeature(ctx context.Context, feature database.CryptoKeyFeature) ([]database.CryptoKey, error) {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceCryptoKey); err != nil {
+		return nil, err
+	}
+	return q.db.GetCryptoKeysByFeature(ctx, feature)
+}
+
 func (q *querier) GetDBCryptKeys(ctx context.Context) ([]database.DBCryptKey, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
 		return nil, err
 
@@ -2302,6 +2302,10 @@ func (s *MethodTestSuite) TestCryptoKeys() {
 			DeletesAt: sql.NullTime{Time: time.Now(), Valid: true},
 		}).Asserts(rbac.ResourceCryptoKey, policy.ActionUpdate)
 	}))
+	s.Run("GetCryptoKeysByFeature", s.Subtest(func(db database.Store, check *expects) {
+		check.Args(database.CryptoKeyFeatureWorkspaceApps).
+			Asserts(rbac.ResourceCryptoKey, policy.ActionRead)
+	}))
 }
 
 func (s *MethodTestSuite) TestSystemFunctions() {
 
@@ -2429,6 +2429,23 @@ func (q *FakeQuerier) GetCryptoKeys(_ context.Context) ([]database.CryptoKey, er
 	return keys, nil
 }
 
+func (q *FakeQuerier) GetCryptoKeysByFeature(_ context.Context, feature database.CryptoKeyFeature) ([]database.CryptoKey, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	keys := make([]database.CryptoKey, 0)
+	for _, key := range q.cryptoKeys {
+		if key.Feature == feature && key.Secret.Valid {
+			keys = append(keys, key)
+		}
+	}
+	// We want to return the highest sequence number first.
+	slices.SortFunc(keys, func(i, j database.CryptoKey) int {
+		return int(j.Sequence - i.Sequence)
+	})
+	return keys, nil
+}
+
 func (q *FakeQuerier) GetDBCryptKeys(_ context.Context) ([]database.DBCryptKey, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -3,6 +3,13 @@ SELECT *
 FROM crypto_keys
 WHERE secret IS NOT NULL;
 
+-- name: GetCryptoKeysByFeature :many
+SELECT *
+FROM crypto_keys
+WHERE feature = $1
+AND secret IS NOT NULL
+ORDER BY sequence DESC;
+
 -- name: GetLatestCryptoKeyByFeature :one
 SELECT *
 FROM crypto_keys
 
@@ -243,6 +243,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				r.Post("/app-stats", api.workspaceProxyReportAppStats)
 				r.Post("/register", api.workspaceProxyRegister)
 				r.Post("/deregister", api.workspaceProxyDeregister)
+				r.Get("/crypto-keys", api.workspaceProxyCryptoKeys)
 			})
 			r.Route("/{workspaceproxy}", func(r chi.Router) {
 				r.Use(