Verify before creation
Require an authenticated, email-verified user with workspace key-management permission.
API key leakage prevention
ThrottleProxy keys are created after verified-user and workspace permission checks, displayed once, stored as hashes, looked up exactly, and removed from outbound requests. Application secret storage and incident response still remain your responsibility.
Practical boundaries
Require an authenticated, email-verified user with workspace key-management permission.
Return the raw value only at creation so it can move directly into approved secret storage.
Persist and cache deterministic hashes rather than the reusable raw key.
Authenticate with one SHA-256 operation and one exact Redis lookup instead of scanning keys.
Remove proxy Authorization, x-api-key, cookies, and ThrottleProxy headers from outbound traffic.
Deactivate workspace keys and remove their exact cached configuration.
No. The reusable value is displayed once; stored and cached representations use its hash.
No. Proxy credentials and cookies are stripped before the upstream request.
Deactivate the key, update the application secret through an approved channel, and review sanitized lifecycle context without pasting the old value.
Use one workspace key, one exact public host, and non-sensitive test traffic.