API Keys, Scopes & Quotas: Sharp Tools Need Labels

An API key is a production tool. Treating it like a password taped under a keyboard is how integrations become incident reports. ReVend OS gives API keys their own management surface because sharp tools deserve labels.

Scopes

Keys use scopes: read, write and admin. Endpoints declare the required scope. A reporting integration should not receive admin power just because it was easier to click the biggest checkbox.

Limits

Responses include rate-limit and monthly-quota headers. Per-key minute limits prevent noisy loops from becoming a platform weather system; monthly quotas connect usage to the tenant's package. Usage appears under /settings/api/usage so integration owners can see what their systems are actually doing.

IP allowlists and last-used data

Keys can carry IP allowlists. Successful use records last-used time, IP and user agent. When something starts calling from a new place, admins have facts instead of a room full of guesses.

Rotation

Key create and rotate show the plaintext token once. Rotation supports an overlap window so integrations can switch cleanly. After that, the secret is a hash and a memory. This is inconvenient in exactly the way security should be.