New API keys now use a cc_live_ prefix, more entropy, and hash-only storage with safe display metadata. Full keys are shown only once when created, while the dashboard stores and lists only non-sensitive prefix and last-four information.
API key authentication now supports both new hashed keys and existing legacy keys, and key deletion is scoped to the owning user to prevent cross-account deletion.