COFFEE-KEY · KEY1-CORE

API keys & the Key Vault

A practical line through what API keys are, how they differ from passwords and OAuth tokens, how to keep them out of the wrong places, how that connects to Coffee Key Vault — the in-browser vault you open as KEY1-CORE.html — plus GitHub & PATs for tools that push to your repos (e.g. Print Punch).

No prior track required. If you run Coffee Server with Keyman, see also Coffee Server · Keyman for machine-local integration keys (ck_…) — a different flavor of the same idea.

For GitHub PATs (Module 7), it helps to know what a repo and a push are — see the Git & GitHub track (6 modules), then come back here for token hygiene.

1

What is an API key?

Secret strings for programs · services, not humans at a keyboard
2

Keys, passwords & OAuth

Three ways “you’re allowed” · what lives in the vault
3

Where secrets leak

Repos, screenshots, chat · the browser as a deliberate place
4

Scopes, rotation & revocation

Least privilege · when to roll keys · provider dashboards
5

How apps send keys

Headers vs URLs · why Authorization: Bearer won the culture war
6

Coffee Key Vault — KEY1-CORE

IndexedDB presets · OAuth cards · adding a service · nothing shipped to our servers from that page

GitHub & personal access tokens

Repos, Pages, PAT scopes · why Print Punch asks for a token · hygiene & Key Vault tie-in

Try it

Open the Key Vault in your browser — paste provider keys on purpose, in one place.

KEY1-CORE.html (Coffee Key Vault)