Developer apps and one-time key issuance
Signed-in owners can register developer apps, scope them, and mint bearer keys that are only shown once at creation time.
- `src/app/api/developer/apps/route.ts`
- `src/app/api/developer/keys/route.ts`
PUBLIC PROOF ARTIFACT
Developer access with receipts, not vibes.
Sprint 3 adds real developer apps, real bearer keys, real per-key limits, and real docs/OpenAPI alignment so external platform access can be inspected instead of inferred.
Sprint 3 proofDeveloper apps + keysUpdated 2026-03-31
4
Published proof checks
2
Bearer-enabled routes
1
Generated OpenAPI source
WHY THIS EXISTS
Platform access should be narrow, inspectable, and rate-bounded.
HOWFAR now exposes a small explicit developer lane instead of pretending every protected API magically supports external callers.
- Signed-in owners register apps before minting keys
- Bearer auth is only accepted on approved routes
- Per-key limits are enforced on live request paths
4Published proof checks
2Bearer-enabled routes
1Generated OpenAPI source
Published checks
Bearer-key verification path
Developer keys can be verified on a dedicated endpoint before they are used on broader API calls.
- `src/app/api/developer/verify/route.ts`
- `src/lib/server/requireAuth.ts`
Per-key rate limiting on live API traffic
Bearer-authenticated agent chat requests are rate-limited per key, not only per IP, preventing one key from spamming the shared developer surface.
- `src/app/api/agents/chat/route.ts`
- `src/lib/server/rateLimit.ts`
Docs and contract proof stay in sync
The public API docs and generated OpenAPI contract now document the developer-key flow and approved bearer-authenticated endpoints.
- `src/app/docs/api/page.tsx`
- `scripts/openapi-next.mjs`
- `docs/api/openapi.next.yaml`