API key

A LearnCoin API key is a bearer token with the shape lrn_test_<hex> or lrn_live_<hex>. It authenticates a specific tenant to the LearnCoin REST API. The prefix tells the API which mode to operate in: test keys write to test-mode rows and anchor on Base Sepolia; live keys operate on Base mainnet.

Keys carry permission scopes — credentials:issue, credentials:read, credentials:revoke, batches:read, recipients:read, and similar. A platform might issue a key with only credentials:read to an analytics service that shouldn't be able to issue or revoke. Least-privilege is the default.

Keys are rotatable. Compromised keys can be revoked without affecting the tenant's signed credentials — the credentials are cryptographically bound to the tenant's KMS signing key, not to the API key used to issue them. The API key is an access-control concern; the signing key is a cryptographic one.

Never commit API keys to source control. LearnCoin uses Doppler for secret management; tenants should use their own secret-management system.