API Keys
API Keys is the admin screen for bearer tokens used by REST, MCP, CLI automation, and external services.
API keys use the rst_ prefix and are owned by Roster identities. A key never
has more access than its owner. Effective access is:
key scopes ∩ owner rights ∩ resource rulesThe table shows:
- API key name
- Token prefix
- Status: active, expired, or revoked
- Owner name and email or owner ID
- Scopes
- Last used time
- Expiration time
- Created time
The full token is displayed only immediately after creation.
Create an API Key
Section titled “Create an API Key”When creating a key, set:
- Name
- Owner identity
- Scope preset or custom scopes
- Optional expiration
Scope presets are:
| Preset | Includes |
|---|---|
| Resolve only | Resolve and resolve-history scopes for REST and MCP. |
| Read-only | Resolve plus read scopes for projects, participants, labels, delegations, and resolve history. |
| Manage roster | All available REST and MCP scopes. |
| Custom | Manually selected scopes. |
Write scopes automatically include their matching read scope when added through the platform picker.
Revoke
Section titled “Revoke”Revocation is permanent. Existing clients using the token stop working after the key is revoked. Create a replacement key before revoking when rotating production automation.
For scope semantics and authentication examples, see Auth Methods.