API Keys

Provider credentials read by the ingestion ETL at runtime. Rotate here when a key expires — no redeploy needed (PLAN §8).

Add / rotate a key

Encrypted at rest

Keys are stored encrypted in core.api_keys via pgcrypto (ADR-012) and only ever decrypted to render the 4-char mask below. The full value is never exposed by this UI.

Stored keys

No API keys stored yet

Add one above so the ingestion ETL can authenticate against the provider.