Create, rotate, revoke, and inspect API keys in the authenticated dashboard.
Those dashboard routes are not customer API-key-authenticated public API routes,
so they are omitted from openapi/draftfilter-api.v1.yaml.
API-key plaintext is shown only when a key is created or rotated. After that,
the dashboard stores and returns safe metadata such as key id, display name,
scope list, prefix, last four secret characters, status, creation time, and
rotation or revocation timestamps when present.
Revoking a key disables future API use but preserves audit metadata. Revoked
records are retained so job attribution, usage history, revokedAt,
revokedByUserId, and rotation lineage remain inspectable.
Rotation creates a successor key, shows the new plaintext value once, and
revokes the previous key. Deploy clients with the successor key before removing
the old key from secrets managers.
Default keys include these scopes unless reduced in the dashboard:
Dashboard-internal routes under /dashboard/* are unsupported internal implementation details
for the web app. Public API clients should only call the /v1/* routes
documented by the OpenAPI contract.