API Keys

Browser-based API key management is part of the Layer 3 commercial shell (Omerta-backed identity + permissions). It is not present in the Layer 1 OSS build.

In the OSS build, bearer tokens are operator-managed:

Self-hosted: set TRACES_BEARER_TOKENS at boot. The server only stores SHA-256 hashes — see RUNBOOK.md.
Cloud: identity flows through the configured Omerta adapter; tokens are issued and revoked through the Omerta control plane, not here.

Use the Agent CLI (traces auth login) to bind a profile to a token without exposing it to the browser.