Allow apps to create API keys on behalf of users

[fmhall]

Allow clients to create API keys on behalf of users. Designed for CLI apps, desktop apps, or apps that need to kick off long running jobs on the users behalf.

• Show warning to users when this scope is requested
• Handle scope in token issuance
• Determine if a fresh API key should be created each time, if they should be reused, or if old ones should be archived when a new one with the same name ("Oauth generated API key") is created

It's also interesting to note that we aren't doing any validation/handling of scopes at the moment beyond ensuring they are a string.

Longer term

We want to enable CLI apps, desktop apps, etc. to allow users to authenticate and create API keys, without having to run a callback server.

Codex and Claude both spin up a callback server, since that works with no changes to a architecture like the one in this PR.

We could use the Device Code flow (RFC-8628), but that still requires the user to input a device code.

See initial questions in this tweet

[railway-app]

🚅 Deployed to the echo-pr-500 environment in echo

Service	Status	Web	Updated (UTC)
echo	✅ Success (View Logs)	Web	Oct 22, 2025 at 6:12 pm

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
assistant-ui-template	Ready	Preview	Comment	Oct 22, 2025 6:08pm
component-registry	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-control	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-next-boilerplate	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-next-image	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-next-sdk-example	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-video-template	Ready	Preview	Comment	Oct 22, 2025 6:08pm
echo-vite-sdk-example	Ready	Preview	Comment	Oct 22, 2025 6:08pm
next-chat-template	Ready	Preview	Comment	Oct 22, 2025 6:08pm
react-boilerplate	Ready	Preview	Comment	Oct 22, 2025 6:08pm
react-chat	Ready	Preview	Comment	Oct 22, 2025 6:08pm
react-image	Ready	Preview	Comment	Oct 22, 2025 6:08pm

[rsproule]

did this a while ago and stashed it for some concerns #327

[rsproule]

i can get on board with this but this is incomplete. We need:

• show a warning or something inthe AuthZ page like:
  'you are creating a long lived access token, this can be revoked in echo website'
• need to actually append this scope in that scenario
• need to be able to tell when an authz was initiated with this "api_key:create" scope. Probably an additional url param
• sdk / clients need to know how to create this url (ask for this scope)