What's New
Scoped API Keys
Create and manage multiple API keys, each scoped to a role from the RBAC hierarchy (viewer/operator/admin). Replaces the single shared token model for teams and CI/CD pipelines.
Key features:
- Create/List/Revoke lifecycle via API and UI
- Role scoping — viewer keys can only read, operator keys can create/renew certs, admin keys have full access
- Token format —
cm_prefix + 40 hex chars, stored as SHA-256 hash (plaintext shown once at creation) - Optional expiration — set an expiry date per key
- Usage tracking —
last_used_atupdated on each authentication - Soft revocation — revoked keys retained for audit trail
API endpoints:
GET /api/keys— list all keys (admin only)POST /api/keys— create a new scoped key (admin only)DELETE /api/keys/<id>— revoke a key (admin only)
UI: New "API Keys" tab in Settings with create form, one-time token display with copy button, and keys table with role badges and revoke action.
Backward compatible: The legacy api_bearer_token in the General tab continues to work with full admin access. No migration needed.
Tests
- 25 unit tests covering key CRUD, auth flow, revocation, expiration, and edge cases
- Bandit clean
Full Changelog: v1.10.7...v1.11.0