API keys

Mint API keys at /provider/api-keys. Tokens look like ork_<prefix>.<secret> — the secret half is shown ONCE on creation; copy it somewhere safe. The prefix half is what we use to look up the key on every request.

Default scopes: read + write. Admin scope adds tenant-settings access. Resources are tenant-scoped server-side; you cannot see another tenant's data regardless of scope.