All releases
Feature

API keys — author full IAM-style policies from the console

Mint a Platform API Key with a multi-statement policy: allow / deny effects, action wildcards, and resource URN scoping. Fine-grained service-to-service auth, authored in the console.

Platform API Keys (pcft_live_*) now carry the full IAM-style policy shape end-to-end. Mint a key from Workspace → API keys → New API key and build the policy as a list of statements:

  • Effect: allow or deny. Explicit deny wins, matching AWS IAM precedence — useful for "give it everything except workspace.delete".
  • Actions: pick literals from the permission catalog (search-friendly with per-service group toggles), or write wildcards like agora.* and *.read.
  • Resources: list of URN patterns, e.g. pcft:agora:community/abc-123 or pcft:rally:waitlist/*. Use * for an unscoped allow.

Caller-narrowing is enforced both in the picker and on the server: you can't mint a key with permissions broader than what your own policy lets you grant. Existing keys continue to work; the editor is opt-in for new mints and for re-issuing.