- Add max_api_tokens_per_user config (default 5)
- Implement POST /api/tokens (T41): generate token with limit check
- Implement GET /api/tokens (T42): list active tokens, no values exposed
- Implement DELETE /api/tokens/{id} (T43): soft delete with ownership check
- Security: plaintext token shown ONLY at creation
- Security: SHA-256 hash stored in DB, never the plaintext
- Security: revoked tokens return 401 on public API
- 24 tests with 100% coverage on tokens router
Closes T41, T42, T43
- GET /api/v1/stats: aggregated stats with date range (default 30 days)
- GET /api/v1/usage: paginated usage with required date filters
- GET /api/v1/keys: key list with stats, no key values exposed
- All endpoints use API token auth and rate limiting
Add statistics router with two endpoints:
- GET /api/stats/dashboard: Aggregated dashboard statistics
- Query param: days (1-365, default 30)
- Auth required
- Returns DashboardResponse
- GET /api/usage: Detailed usage statistics with filtering
- Required params: start_date, end_date
- Optional filters: api_key_id, model
- Pagination: skip, limit (max 1000)
- Auth required
- Returns List[UsageStatsResponse]
Also add get_usage_stats() service function for querying
individual usage records with filtering and pagination.
- T24: POST /api/keys with encryption and limit validation
- T25: GET /api/keys with pagination and sorting
- T26: PUT /api/keys/{id} for partial updates
- T27: DELETE /api/keys/{id} with cascade
- Add ownership verification (403 for unauthorized access)
- API key encryption with AES-256 before storage
- Never expose API key value in responses
- 100% coverage on api_keys router (25 tests)
Refs: T24 T25 T26 T27
Add POST /api/auth/register endpoint with:
- UserRegister schema validation
- Email uniqueness check
- Password hashing with bcrypt
- User creation in database
- UserResponse returned (excludes password)
Status: 201 Created on success, 400 for duplicate email, 422 for validation errors
Test coverage: 5 tests for register endpoint
