Reference
API keys & scopes
Keys are how everything authenticates to Inkvo — collectors, CI, and read clients. Scopes keep each one to exactly what it needs.
Scopes
| Scope | Grants | Typical holder |
|---|---|---|
ingest:* | Write traces, metrics, logs, deploys | OTel collector |
deploys:write | Send deploy markers only | CI pipeline |
read:incidents | Read incidents & narratives | BI / dashboards |
admin:* | Full workspace control | Humans, sparingly |
Rotation
Keys are shown exactly once at creation. Rotate by creating a new key, deploying it, then revoking the old one — both work during the overlap so there's no ingest gap. Every create and revoke lands in the audit log.
One key per environment per purpose
Don't share a key across prod and staging. Scoping by environment is what makes the audit trail and blast-radius math trustworthy.