Auth & scopes
Key formats, scopes, rotation, revocation, BYOK option for storage.
What it is
Key formats
- Live:
asc_live_<48 chars> - Test:
asc_test_<48 chars> - Internal admin keys are short-lived JWTs only (no static format).
Scopes — see the full table. Least privilege by default: new keys get only *:read until you opt into write scopes.
Rotation — POST /v1/keys/{id}/rotate returns a new secret. The old secret continues to accept requests for 30 seconds, then 401s.
Revocation — POST /v1/keys/{id}/revoke is immediate.
BYOK — for object storage, you can provide your own AES-256 envelope key via POST /v1/storage/{bucket}/byok. We never persist your key material; instead we encrypt the per-object DEK with your key, and use your key reference (KMS ARN-equivalent) to decrypt on read. Revoking your key makes the bucket inaccessible.
Audit — every key creation, rotation, revocation and reveal is logged. Reveals require admin:* scope and the user-visible secret value is returned only once.
Quickstart
asc keys create deploy --scopes pods:write,storage:write
asc keys rotate <id>
asc keys revoke <id>client.keys.create(name='deploy', scopes=['pods:write','storage:write'])await client.keys.create({ name: 'deploy', scopes: ['pods:write','storage:write'] });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Old-secret grace on rotate | 30 s | — |