feat(tokens): T41-T43 implement API token management endpoints

- Add max_api_tokens_per_user config (default 5)
- Implement POST /api/tokens (T41): generate token with limit check
- Implement GET /api/tokens (T42): list active tokens, no values exposed
- Implement DELETE /api/tokens/{id} (T43): soft delete with ownership check
- Security: plaintext token shown ONLY at creation
- Security: SHA-256 hash stored in DB, never the plaintext
- Security: revoked tokens return 401 on public API
- 24 tests with 100% coverage on tokens router

Closes T41, T42, T43

src/openrouter_monitor/config.py

@@ -62,6 +62,10 @@ class Settings(BaseSettings):
         default=10,
         description="Maximum API keys per user"
     )
+    max_api_tokens_per_user: int = Field(
+        default=5,
+        description="Maximum API tokens per user"
+    )
     rate_limit_requests: int = Field(
         default=100,
         description="API rate limit requests"

src/openrouter_monitor/main.py

@@ -10,6 +10,7 @@ from openrouter_monitor.routers import api_keys
 from openrouter_monitor.routers import auth
 from openrouter_monitor.routers import public_api
 from openrouter_monitor.routers import stats
+from openrouter_monitor.routers import tokens
 
 settings = get_settings()
 
@@ -33,6 +34,7 @@ app.add_middleware(
 # Include routers
 app.include_router(auth.router, prefix="/api/auth", tags=["authentication"])
 app.include_router(api_keys.router, prefix="/api/keys", tags=["api-keys"])
+app.include_router(tokens.router)
 app.include_router(stats.router)
 app.include_router(public_api.router)
 

src/openrouter_monitor/routers/__init__.py

@@ -1,6 +1,8 @@
 """Routers package for OpenRouter Monitor."""
 from openrouter_monitor.routers import api_keys
 from openrouter_monitor.routers import auth
+from openrouter_monitor.routers import public_api
 from openrouter_monitor.routers import stats
+from openrouter_monitor.routers import tokens
 
-__all__ = ["auth", "api_keys", "stats"]
+__all__ = ["auth", "api_keys", "public_api", "stats", "tokens"]

src/openrouter_monitor/routers/tokens.py

@@ -0,0 +1,192 @@
+"""API tokens router for OpenRouter API Key Monitor.
+
+T41: POST /api/tokens - Generate API token
+T42: GET /api/tokens - List API tokens  
+T43: DELETE /api/tokens/{id} - Revoke API token
+"""
+from typing import List
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from openrouter_monitor.config import get_settings
+from openrouter_monitor.database import get_db
+from openrouter_monitor.dependencies.auth import get_current_user
+from openrouter_monitor.models import ApiToken, User
+from openrouter_monitor.schemas.public_api import (
+    ApiTokenCreate,
+    ApiTokenCreateResponse,
+    ApiTokenResponse,
+)
+from openrouter_monitor.services.token import generate_api_token
+
+router = APIRouter(prefix="/api/tokens", tags=["api-tokens"])
+
+
+@router.post(
+    "",
+    response_model=ApiTokenCreateResponse,
+    status_code=status.HTTP_201_CREATED,
+    summary="Create new API token",
+    description="Generate a new API token for public API access. "
+                "The plaintext token is shown ONLY in this response.",
+)
+async def create_token(
+    token_data: ApiTokenCreate,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Create a new API token.
+    
+    Args:
+        token_data: Token creation data (name)
+        current_user: Authenticated user from JWT
+        db: Database session
+        
+    Returns:
+        ApiTokenCreateResponse with plaintext token (shown only once!)
+        
+    Raises:
+        HTTPException: 400 if token limit reached
+    """
+    settings = get_settings()
+    
+    # Check token limit
+    token_count = db.query(ApiToken).filter(
+        ApiToken.user_id == current_user.id,
+        ApiToken.is_active == True
+    ).count()
+    
+    if token_count >= settings.max_api_tokens_per_user:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Maximum number of API tokens ({settings.max_api_tokens_per_user}) reached. "
+                   "Revoke an existing token before creating a new one."
+        )
+    
+    # Generate token (returns plaintext and hash)
+    plaintext_token, token_hash = generate_api_token()
+    
+    # Create token record
+    db_token = ApiToken(
+        user_id=current_user.id,
+        token_hash=token_hash,
+        name=token_data.name,
+        is_active=True,
+    )
+    db.add(db_token)
+    db.commit()
+    db.refresh(db_token)
+    
+    # Return response with plaintext (shown only once!)
+    return ApiTokenCreateResponse(
+        id=db_token.id,
+        name=db_token.name,
+        token=plaintext_token,
+        created_at=db_token.created_at,
+    )
+
+
+@router.get(
+    "",
+    response_model=List[ApiTokenResponse],
+    summary="List API tokens",
+    description="List all active API tokens for the current user. "
+                "Token values are NOT included for security.",
+)
+async def list_tokens(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """List all active API tokens for the current user.
+    
+    Args:
+        current_user: Authenticated user from JWT
+        db: Database session
+        
+    Returns:
+        List of ApiTokenResponse (without token values)
+    """
+    tokens = db.query(ApiToken).filter(
+        ApiToken.user_id == current_user.id,
+        ApiToken.is_active == True
+    ).order_by(ApiToken.created_at.desc()).all()
+    
+    return [
+        ApiTokenResponse(
+            id=token.id,
+            name=token.name,
+            created_at=token.created_at,
+            last_used_at=token.last_used_at,
+            is_active=token.is_active,
+        )
+        for token in tokens
+    ]
+
+
+@router.delete(
+    "/{token_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    summary="Revoke API token",
+    description="Revoke (soft delete) an API token. The token cannot be used after revocation.",
+)
+async def revoke_token(
+    token_id: int,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Revoke an API token (soft delete).
+    
+    Args:
+        token_id: ID of the token to revoke
+        current_user: Authenticated user from JWT
+        db: Database session
+        
+    Raises:
+        HTTPException: 404 if token not found, 403 if not owned by user
+    """
+    # Find token (must be active and owned by current user)
+    token = db.query(ApiToken).filter(
+        ApiToken.id == token_id,
+        ApiToken.user_id == current_user.id,
+        ApiToken.is_active == True
+    ).first()
+    
+    if not token:
+        # Check if token exists but is inactive (already revoked)
+        inactive_token = db.query(ApiToken).filter(
+            ApiToken.id == token_id,
+            ApiToken.user_id == current_user.id,
+            ApiToken.is_active == False
+        ).first()
+        
+        if inactive_token:
+            # Token exists but is already revoked
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="Token not found or already revoked"
+            )
+        
+        # Check if token exists but belongs to another user
+        other_user_token = db.query(ApiToken).filter(
+            ApiToken.id == token_id,
+            ApiToken.is_active == True
+        ).first()
+        
+        if other_user_token:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You don't have permission to revoke this token"
+            )
+        
+        # Token doesn't exist at all
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Token not found"
+        )
+    
+    # Soft delete: set is_active to False
+    token.is_active = False
+    db.commit()
+    
+    return None  # 204 No Content