Get the calling API key's own metadata — name, prefix, scopes, expiry, last-used.
Self-introspection. Returns 404 when the caller authenticated via federation/JWT (no API key in scope) and 401 when there's no authentication at all. Never returns the raw secret — only the displayable prefix. No `[RequireScope]`: a key must be able to read its own metadata regardless of what scopes it carries, otherwise narrow keys couldn't see what they can do.
Authorization
Bearer JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token.
In: header
Path Parameters
The tenant identifier
Response Body
curl -X GET "https://api.fruxon.com/v1/tenants/string/tokens/current"{
"name": "string",
"ownerType": "USER",
"ownerId": "string",
"createdBy": "string",
"tokenHash": "string",
"keyPrefix": "string",
"type": "USER",
"expiresAt": 0,
"scopes": [
"string"
],
"revokedAt": 0,
"lastUsedAt": 0,
"createdAt": 0,
"id": "00000000-0000-0000-0000-000000000000",
"modifiedAt": 0,
"tenantId": "00000000-0000-0000-0000-000000000000"
}{
"type": "string",
"title": "string",
"status": 0,
"detail": "string",
"instance": "string",
"property1": null,
"property2": null
}{
"type": "string",
"title": "string",
"status": 0,
"detail": "string",
"instance": "string",
"property1": null,
"property2": null
}Page through a token's lifecycle audit events.
Returns mint / rotate / revoke / used-while-revoked events newest-first, plus a `nextPageToken` the caller replays to fetch older events — the same cursor-pagination contract as `/activity`. This is the lifecycle history; per-request usage lives under `/activity`.
Revoke a token
Permanently revokes a token — terminal and irreversible. Any request using it immediately starts returning 401. The row is retained so the audit and request-activity history survive. To temporarily suspend access, suspend the owning principal (e.g. the service account) instead — a token cannot be paused and re-enabled.