API Keys
Mint, list, and revoke tenant API keys (scoped capabilities, ADR-0051).
List API keys for the current tenant
Returns all non-revoked API keys for the current tenant. Raw token values are never included — only metadata (id, label, prefix, role).
Create a new API key for the current tenant
Generates a new scoped API key and returns it once in plaintext. The raw token is unrecoverable after this response — store it securely. The `capabilities` set governs what the key may do; an empty set mints a publisher/widget key. `expiresAt` is optional (omit for no expiry).
Revoke an API key by id
Marks the API key as revoked. Subsequent requests bearing this key will be rejected with 401. The revoked key row is returned for audit purposes.