API keys

Create, view, disable, and delete API keys at /admin/api-keys.

Lifecycle

• Create — the admin picks a label and scope (submit or read). The raw secret is shown once in the response page. Store it now; the app cannot recover it later.
• List — subsequent visits to /admin/api-keys show the key's label, prefix (first 12 characters of the raw secret), scope, is_enabled, last_used_at. The full secret is never re-displayed.
• Disable — sets is_enabled=false and stamps disabled_at. The key immediately stops authenticating. Audit trail preserved.
• Delete — removes the row entirely. Use this only when you no longer need the audit trail.

Storage

Stored fields per key:

• prefix — non-secret, used for lookup.
• hashed_secret — HMAC-SHA256(raw_key, SYTWM_API_KEY_PEPPER).

The raw secret is never persisted. Rotating SYTWM_API_KEY_PEPPER invalidates every existing key — only do this if a compromise is suspected.

Scopes

• submit — may POST to /api/v1/feedback and /api/v1/telemetry. May read post definitions (read access is required to fill a form). May not list feedback or telemetry.
• read — may GET feedback, telemetry, and post definitions. May not submit.

A future release may add finer-grained scopes (per-post, per-event-type).