API Keys

Key portal

Scoped keys, shown once, revocable, audit-logged. This portal currently runs in sandbox mode — generated keys are demo keys, clearly labeled, never valid for production.

Sandbox mode (reported-pending-proof). No backend key service is connected on this portal yet. Keys are generated locally in your browser as gaiask_demo_…, only metadata is stored, nothing is transmitted or logged. Production key generation requires the approved server-side endpoint (contract documented below).

Create API key

Sign in / request access — planned (placeholder; sandbox needs no account).

No tenant, no memory — every key is bound to one tenant scope.

Recommended. Expired keys fail closed.

Your keys

Metadata only — the full key value is never stored.

NameKeyScopesEnvExpires

Backend contract (proposed)

The production implementation is server-side only: plaintext never stored (hash only), key shown once, tenant_id + scopes required, every create/revoke audit-logged.

api-keys contract
POST   /v1/api-keys            # create — returns key once
GET    /v1/api-keys            # list metadata (prefix + last4)
DELETE /v1/api-keys/{key_id}   # revoke — audit-logged
reported-pending-proof

Audit log

Local demo log — the production audit trail lives server-side, keyed by proof_id.

Timestamp (UTC)ActionDetail