Virtual keys

A virtual key is a tenant-owned credential that the gateway accepts on inbound requests. Keys are minted in the operator portal and never leave the tenant boundary in plaintext after minting.

Anatomy

op_live_26f2_f9b8c4e2aa1345b7d3f27a901c55d88a
^^  ^^^^  ^^^^  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   |     |     └── secret (shown once at mint; we only store a hash)
|   |     └── prefix (indexed for fast lookup)
|   └── environment (live / test)
└── provider prefix

Scopes

Scopes are strings and are matched by the OPA policy bundle. Common scopes:

• room:$ID — only this room can use the key
• model:$FAMILY — e.g. model:instruct, model:embedding
• tool:$NAME — allow specific tool calls (e.g. tool:rag.search)
• budget:$AMOUNT/$PERIOD — e.g. budget:10000/day (cents)

A key can carry multiple scopes. Policies compose them — e.g. only allow a tool:code_exec call if the key also carries room:engineering.

Minting

From the portal, Virtual keys → New key:

# Equivalent API call (staff only)
curl -X POST https://ops.eu-1.operayde.com/v1/virtual-keys \
  -H "Authorization: Bearer $STAFF_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "acme",
    "name": "research-team",
    "scopes": ["room:research", "model:instruct", "budget:50000/day"],
    "expires_at": "2027-01-01T00:00:00Z"
  }'

The response includes the full key exactly once. If the user loses it, they mint a new one and revoke the old.

Revocation

Revocation is immediate. The gateway maintains a signed revocation list that it checks before evaluating policy. A revoked key returns 401 within seconds across the fleet.