# API Keys

Create, list, update, and revoke project API keys through SeaGate.

## Create a key

The caller must be an authenticated user session with API-key write permission. The created token is returned only once; store it in your secret manager immediately.

`spendLimitMicros` and `expiresAt` are key policy metadata. Runtime spend enforcement is tied to SeaChat quota accounts and model usage reservations.

```bash
curl https://seachat.ai/api/keys \
  -H "Authorization: Bearer $SEACHAT_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "docs quickstart",
    "scopes": ["model:invoke", "usage:read"],
    "spendLimitMicros": 5000000
  }'
```

## Manage keys

Use `GET /api/keys` to list visible, non-revoked keys. Use `PATCH /api/keys/{keyId}` for label, scopes, expiration, or policy metadata. Use `DELETE /api/keys/{keyId}` to revoke.