Minting API keys for AI integrations

Org API keys authenticate every public-API and MCP request. Mint them at Settings → Developer → API Keys.

Two paths to a key:
1. Manual key — pick exact scopes for fine-grained control (Settings → Developer → "+ New API Key")
2. Connect-flow key — go to /connect, pick a client (Cursor / Claude Desktop / etc.), and we mint a key with the AI-assistant scope bundle automatically

The AI-assistant scope bundle (used by /connect):
Reads: articles, contacts, accounts, opportunities, events, grants, quotes, products, context
Writes: notes, contacts, articles, events
Excluded: email:send (don't let an AI mass-email by default), grants:write, *:write wildcard

For per-client granularity, mint a manual key with only what you need (e.g. just contacts:read + notes:write for a "log calls" integration).

Wildcards:
• *:read — any current or future read scope
• *:write — any current or future write scope (does NOT imply reads)

Storage and security:
• Plaintext is shown exactly once at creation
• Server stores only the SHA-256 hash
• Optional IP allowlist
• Per-key usage counters (today + this month) visible in the UI
• Revoke instantly — invalidates the key on the next request

Best practices:
• One key per integration so you can revoke without affecting others
• Name keys descriptively ("Cursor on jane's MacBook", "ChatGPT custom GPT — Sales", "Zapier — Q3 webinar enrollments")
• Rotate at least quarterly for keys that touch writes
• Don't commit plaintext to source control — use environment variables (TURTINI_API_KEY)

Permissions:
Only org owners and admins can mint, list, or revoke API keys. Member-level users can ask their admin via Settings → Developer.