API Keys — issuance, scopes, rotation
Keys are tamper-evident (cosign signature over the key fingerprint), least-privilege by scope AND flagship, and instantly revocable. The server never stores the raw key — only sha256(key).
Key format
szl_{env}_{flagship?}_{base62(16 bytes)}
env: live | test
flagship (optional bind): a11oy | amaru | sentra | killinchu | rosie
szl_live_d8Kf9... multi-flagship live key (allowlist in DB)
szl_live_killinchu_Q2m7... live key hard-bound to killinchu only
szl_test_4Hh1... sandbox key (no billing, no real fleet data)Scopes
| Action scope | Flagship allowlist | Enforcement |
|---|---|---|
| read / write / admin | a11oy · amaru · sentra · killinchu · rosie | server-side, derived from the OpenAPI path operationId verb class |
Revocation writes a Khipu receipt and flips status to
revoked; the next verification fails closed. A cosign signature lets a Greene-grade auditor verify the key-issuance event independently. Signing is honestly labeled cosign PLACEHOLDER (no Sigstore transparency-log inclusion yet).Mint / revoke / rotate keys in the customer portal. This tab explains the model.
Source: customer_surface/API_KEY_SYSTEM.md