- API keys start with cm_ and are shown once at creation — store them securely.
- Pass keys as Authorization: Bearer cm_xxx on all /v1/* endpoints.
- Revoke compromised keys immediately from Settings → API Keys.
- JWT tokens (dashboard login) are separate from API keys — do not expose JWTs in client apps.