Mint an API key (owner-only)
Returns the plaintext key exactly ONCE — only the sha256 hash + a display prefix (e.g. jbt_test_a1b) are persisted. mode defaults to test. An optional scopes allowlist (by automation name) restricts the key to specific automations over both the run gateway and MCP; omitted/null/[] all mean unscoped (every published automation in the org).
承認
The dashboard's signed, HttpOnly session cookie (packages/service/src/auth.ts): base64url(payload).base64url(hmac-sha256), absolute 30-day lifetime, SameSite=Lax, Secure on any TLS deployment. Minted by POST /api/auth/signup or POST /api/auth/login (or, outside production, auto-provisioned by GET /api/session). Because it is HttpOnly, it cannot be read or attached by a browser-based API-reference "Try it" panel across origins — exercise these routes with a real logged-in browser session or a cookie-jar HTTP client.
ボディ
レスポンス
Key minted; plaintext is shown here and nowhere else.
The response of POST /api/keys — the ONLY time the plaintext key is ever returned.
"jbt_test_a1b"
live, test "jbt_live_9f2c7b1a4e6d8053a1b2c3d4"
Automation-name allowlist. Absent ⇒ unscoped (every published automation in the org).