Verified creator
Live key creation requires an authenticated user with a verified email.
API key management
ThrottleProxy keys authenticate applications to the proxy. Creation requires a verified user with the right workspace role, lookup is exact and constant-time, and deactivation invalidates cached configuration.
Practical boundaries
Live key creation requires an authenticated user with a verified email.
Only Owner, Admin, and Developer roles can create or deactivate proxy keys.
The raw key is created for the caller while storage uses a hash rather than the reusable credential.
Authentication hashes the presented key and performs one exact Redis config lookup without keyspace scans.
Deactivation includes the authorized workspace in the mutation query, so foreign object IDs return not found.
Deactivation removes the exact cached configuration entry so stale access is not left active.
No. It authenticates the caller to ThrottleProxy and is stripped before forwarding. Provider credentials are a separate concern.
The server requires an active Owner, Admin, or Developer membership plus a verified email.
The workspace-scoped database row is deactivated and its exact Redis configuration entry is invalidated.
Use one workspace key, one exact public host, and non-sensitive test traffic.