Until this week, an API key inherited the access of whoever created it. Fine for scripts you run yourself; wrong shape for a production worker that should outlive any one teammate. API keys now come in two flavors. Personal keys still inherit your RBAC role and per-engine grants – same as before. Service keys are decoupled from any single user, with their own role and/or per-engine scope. A service key can be roleless and reach only the engines listed on it. Anti-escalation guards apply on create and edit, and if Enterprise is dropped, service keys deactivate cleanly with a typed 403 instead of a phantom "no engine scope" error.
The full RBAC system lands on the Enterprise plan the same week: roles, role assignments, per-user engine access, ownership transfer.
Also shipped#
- Audit log foundations. New tables and auth policies for org-wide audit events. Emitters and UI follow next week.
- Engines now have an enabled/disabled toggle. Disabled engines stop accepting requests without being deleted.