Per-user keys minted at /auth/api-keys (create/list/revoke); requests authenticate with the X-API-Key header instead of the session cookie. The raw key value is shown only once at creation.
/auth/api-keys
X-API-Key
