AIARCOASC Docs

Auth & scopes

Key formats, scopes, rotation, revocation, BYOK option for storage.

What it is

Key formats

  • Live: asc_live_<48 chars>
  • Test: asc_test_<48 chars>
  • Internal admin keys are short-lived JWTs only (no static format).

Scopes — see the full table. Least privilege by default: new keys get only *:read until you opt into write scopes.

RotationPOST /v1/keys/{id}/rotate returns a new secret. The old secret continues to accept requests for 30 seconds, then 401s.

RevocationPOST /v1/keys/{id}/revoke is immediate.

BYOK — for object storage, you can provide your own AES-256 envelope key via POST /v1/storage/{bucket}/byok. We never persist your key material; instead we encrypt the per-object DEK with your key, and use your key reference (KMS ARN-equivalent) to decrypt on read. Revoking your key makes the bucket inaccessible.

Audit — every key creation, rotation, revocation and reveal is logged. Reveals require admin:* scope and the user-visible secret value is returned only once.

Quickstart

asc keys create deploy --scopes pods:write,storage:write
asc keys rotate <id>
asc keys revoke <id>
client.keys.create(name='deploy', scopes=['pods:write','storage:write'])
await client.keys.create({ name: 'deploy', scopes: ['pods:write','storage:write'] });

Limits & quotas

LimitDefaultBurstNotes
Old-secret grace on rotate30 s