API Key Management (Beyond Widget) #23
Description
Summary
General-purpose API keys for programmatic access (not just widget). Key scopes (read-only, agent-specific, project-specific), usage tracking per key, key rotation, and expiry.
Motivation
Current auth is HTTP Basic Auth + Bearer tokens from /auth/token. Production integrations need proper API key management — keys that can be scoped, rotated, and tracked independently. Widget keys exist but are widget-specific.
Scope
- New api_keys table (key_hash, name, scopes, project_id, agent_id, expires_at, last_used, created_by)
- Key generation with prefix (mk_ for MATE key) and secure random suffix
- Scopes: read, write, chat, admin, per-project, per-agent
- Key rotation: generate new key, grace period for old key
- Usage tracking: requests per key, last used timestamp
- Dashboard: key management page (create, list, revoke, view usage)
- Auth middleware: accept Authorization: Bearer mk_... alongside existing auth
Acceptance Criteria
- API keys with configurable scopes
- Key rotation with grace period
- Usage tracking per key
- Dashboard CRUD for keys
- Works alongside existing Basic Auth