All posts

FourA Digest — May 29 to Jun 5, 2026

API keys created this week are revealable. The Dashboard remembers them, the playground's curl reproducer drops them in, and you can cancel slow requests.

Highlights

API keys are now revealable. Generate one in your Dashboard, walk away, come back next week, and the key is still there waiting for you behind a click. We also smoothed three rough edges in the API playground so the curl reproducer actually runs.

What's New

API keys you can see again

Most SaaS APIs hand you a key once. Lose it, regenerate. Update every service that uses the old key. Redeploy. You know the drill.

We didn't love that pattern. So we changed it.

Keys created from now on come with a revealable copy. Open your Dashboard, click the eye icon next to any key, confirm, and the full pk_live_... value lands in front of you. Fifteen seconds later it auto-hides and clears from the page. Every reveal is audit-logged.

A few details that mattered to us:

  • The path that authenticates your requests is still a one-way hash, untouched. The revealable copy is a second, encrypted artifact (AES-256-GCM) that lives next to it. If we ever rolled the encryption key, validation would keep working.
  • Keys created before this change can't be revealed. They have no encrypted copy to read back. They keep working forever through the hash path. The Dashboard shows a small lock marker and a "regenerate to enable" hint, so you know which keys carry the new capability and which don't.
  • Access control matches the rest of the keys API. You can reveal your own keys. An org admin can reveal any key in the org. Team-write members can reveal team keys. Read-only roles can't.
  • Keys an org admin creates on behalf of a teammate are revealable too, with the same rules. The capability lives at the key, not at the surface that created it.

If you've been hoarding password manager entries for FourA keys, you can stop.

The curl reproducer is real curl now

Every request you build in the playground comes with a copy-pasteable curl on the side. The idea is simple: get the request right in the UI, grab the curl, drop it into a script, a teammate's terminal, or a bug report.

Until this week the curl had a placeholder where the key should go (PASTE_PLAINTEXT_FOR_my-key), and you had to fill it in by hand before it ran. The reproducer wasn't a reproducer. It was a template.

That's gone. For any revealable key, the playground has a Reveal button on the curl panel. Click it, the real plaintext drops into the curl, copy the whole thing, paste it into your terminal, and it runs. Click again to hide. The reveal is in-memory for that session only, never written to disk, and the curl panel tracks the key dropdown, so switching keys never leaks one into another. Older non-revealable keys still show the placeholder, because we can't get the plaintext back for them.

Cancel button on in-flight requests

If you fired a playground request against a slow target site, the only option used to be waiting for the timeout. We added a Cancel button to the loading panel. Click it, the request aborts cleanly, and the response area returns to its idle state with "Request canceled." instead of a scary error.

Small thing. But the playground feels like a real tool now instead of a demo. You can probe a flaky site, abort, tweak the request, try again, without ever sitting and waiting.

Under the Hood

Three small follow-ups on the curl Reveal button after the initial ship: the error toast shows the friendly message instead of the machine error code, the button can't get stuck on "Revealing…" if something else throws, and a CSS specificity bug that kept the button visible on keys that don't support reveal is gone.

If you saw any of those, they should be fixed. If you didn't, you didn't miss anything.

Generate, copy, paste, lose track. Come back later. The Dashboard remembers.