API Key Policy Management #133
Description
Summary
Configurable API key policies to enforce security best practices.
Requirements
- Configurable default API key expiry via Security settings (default: no expiry)
- Maximum allowed scopes per role (prevent scope elevation by design)
- API key rotation reminders: audit log warning when keys approach configured expiration
- Forced expiry: option to enforce maximum key lifetime
- UI indicators for key age and expiry status on API Keys management page
Design Reference
See docs/plans/2026-02-18-auth-hardening-design.md
Depends On
- Auth hardening sprint (Sprint 19)