Developer
API Keys
Issue, scope, attenuate, rotate, and revoke credentials. Each delegated token's scope is a subset of its parent's, carries caveats, and has a TTL — the capability-token model behind auto-onboarding.
CAPABILITY TOKENS
Keys
| Key | Scope | Created | Last used | Status | Actions |
|---|---|---|---|---|---|
| um_space-root_••••••7kwr | space-rootall-bucketsall-perms | 2026-04-01 | 2026-06-05 | ACTIVE | |
| um_ci-ingest_••••••2asm | shared:mainreadwrite | 2026-05-12 | 2026-06-04 | ACTIVE | |
| um_legacy_••••••iatt | shared:mainread | 2026-02-20 | 2026-03-30 | REVOKED |
Delegated capability tokens
🏰 ATTENUATION- space-rootall bucketsall permsTTL none (root)
- plannershared:mainread/write/promoteTTL 24h
- codershared:mainread/writeno-promoteTTL 1h
- web-toolshared:mainread-onlyTTL 15m
Revocation is TTL-first — short-lived tokens expire on their own; the denylist handles emergency revokes (IDENTITY.md §5).