Create a personal API key
Mints a new personal API key.
Authorizations
Supabase JWT token in Authorization: Bearer header
Body
Friendly name for the key (e.g., "ci-prod", "local-dev"). Capped at 100 characters; longer names are truncated server-side.
100Capability set for this key. If omitted, the API substitutes the default. Admin scopes (admin:org, admin:platform) are gated by the requester's current role and return HTTP 403 at mint time if the requester is not eligible.
Capability-based scope (ADR-049). gateway permits gateway-worker traffic; api:read and api:write permit identity-scoped GET and write endpoints respectively; admin:org permits org-admin operations on orgs the bearer owns/admins (per-request membership re-check); admin:platform permits /v1/admin/* Mnemom-staff operations (per-request staff-role re-check). The legacy api scope is accepted for backward compatibility and aliased to api:read + api:write at the auth gate; new keys should use the canonical vocabulary.
gateway, api:read, api:write, admin:org, admin:platform, api Response
API key created (secret shown once)
Full secret. Capture now — never returned again.
Capability-based scope (ADR-049). gateway permits gateway-worker traffic; api:read and api:write permit identity-scoped GET and write endpoints respectively; admin:org permits org-admin operations on orgs the bearer owns/admins (per-request membership re-check); admin:platform permits /v1/admin/* Mnemom-staff operations (per-request staff-role re-check). The legacy api scope is accepted for backward compatibility and aliased to api:read + api:write at the auth gate; new keys should use the canonical vocabulary.
gateway, api:read, api:write, admin:org, admin:platform, api