Generate, manage, and revoke API keys for programmatic access. SHA-256 hashed storage — plaintext shown once at creation.
Key Generation
sk_-prefixed keys with 256-bit entropy via crypto.randomBytes. SHA-256 hashed. 12-char prefix for display.
Access Control
Owner and admin roles only. Membership verified on every operation. Scopes restricted to explicit allowlist.
Management Dashboard
/org-dashboard/api-keys — table view, create dialog, copy-once display, revoke with confirmation.
Validation
Checks is_active + expires_at. Auto-updates last_used_at. ISO 8601 datetime validation on expiry.
| API Route | Method | Description |
|---|---|---|
/api/account/api-keys | GET | List keys (hash never exposed) |
/api/account/api-keys | POST | Create key (returns full key once) |
/api/account/api-keys | DELETE | Revoke key (sets is_active = false) |