Expand description
API key management endpoints.
Provides REST creation/listing/deletion of engine API keys as an
alternative to the assay serve --generate-api-key CLI subcommand.
POST /api/v1/api-keys supports a client-supplied label and an
idempotent flag. When idempotent = true and a key with that label
already exists, the handler returns the existing record’s metadata
without a plaintext — the plaintext was handed out at generation
time and is never retrievable again.
The POST endpoint is intentionally callable without authentication
when the api_keys table is empty (see api/auth.rs middleware). This
is the first-ever-key bootstrap window: without it, a freshly deployed
server running in API-key or combined mode has no way to receive its
first credential. The window closes as soon as any key exists.