diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index b5e8cfd4..4f6145be 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -35,7 +35,7 @@ jobs:
         id: claude-review
         uses: anthropics/claude-code-action@v1
         with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
           plugins: 'code-review@claude-code-plugins'
           prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index d300267f..79fe0564 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -34,7 +34,7 @@ jobs:
         id: claude
         uses: anthropics/claude-code-action@v1
         with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
diff --git a/README.md b/README.md
index 81aab99e..eb9472aa 100644
--- a/README.md
+++ b/README.md
@@ -342,15 +342,16 @@ Quality gates validate agent output before it reaches users. Configured in agent
 
 ### Security
 - **Rate limiting** — Token bucket per user/IP, configurable RPM
+- **API key management** — Multi-key auth with RBAC scopes (`admin`, `read`, `write`, `approvals`, `pairing`), SHA-256 hashed storage, optional expiry, revocation
 - **Prompt injection detection** — 6-pattern regex scanner (detection-only, never blocks)
 - **Credential scrubbing** — Auto-redact API keys, tokens, passwords from tool outputs
 - **Shell deny patterns** — Blocks `curl|sh`, reverse shells, `eval $()`, `base64|sh`
 - **SSRF protection** — DNS pinning, blocked private IPs, blocked hosts
-- **AES-256-GCM** — Encrypted API keys in database
+- **AES-256-GCM** — Encrypted provider API keys in database
 - **Browser pairing** — Token-free browser auth with admin-approved pairing codes
 
 ### Web Dashboard
-- Agent management, traces & spans viewer, skills, teams, MCP servers, pairing approval, memory management (CRUD + search + chunking), knowledge graph (table + force-directed visualization), and pending messages dashboard
+- Agent management, traces & spans viewer, skills, teams, MCP servers, pairing approval, memory management (CRUD + search + chunking), knowledge graph (table + force-directed visualization), pending messages dashboard, API key management, and interactive API documentation (Swagger UI)
 
 ## Quick Start
 
@@ -695,9 +696,14 @@ goclaw pairing revoke     Revoke a pairing
 
 ## API
 
-See [API Reference](api-reference.md) for HTTP endpoints, Custom Tools, and MCP Integration.
+Interactive API documentation is available at `/docs` (Swagger UI) when the gateway is running. The OpenAPI 3.0 spec is served at `/v1/openapi.json`.
 
-See [WebSocket Protocol](websocket-protocol.md) for the real-time RPC protocol (v3).
+| Documentation | Description |
+|---------------|-------------|
+| [HTTP REST API](docs/18-http-api.md) | 130+ HTTP endpoints — chat completions, agents, skills, providers, MCP, memory, knowledge graph, channels, traces, usage, storage, API keys |
+| [WebSocket RPC](docs/19-websocket-rpc.md) | 64+ RPC methods — chat, agents, config, sessions, cron, teams, pairing, delegations, approvals |
+| [API Keys & Auth](docs/20-api-keys-auth.md) | Authentication model, RBAC scopes, API key management, security design |
+| [Gateway Protocol](docs/04-gateway-protocol.md) | WebSocket wire protocol (v3), frame format, connection lifecycle |
 
 ## Docker Compose
 
@@ -894,12 +900,13 @@ Requires `GOCLAW_TSNET_AUTH_KEY` in your `.env` file. Tailscale state is persist
 ## Security
 
 - **Transport**: WebSocket CORS validation, 512KB message limit, 1MB HTTP body limit, timing-safe token auth
+- **API key management**: Multi-key auth with 5 RBAC scopes, SHA-256 hashed storage, optional expiry, revocation, show-once pattern. See [API Keys & Auth](docs/20-api-keys-auth.md)
 - **Rate limiting**: Token bucket per user/IP, configurable RPM
 - **Prompt injection**: Input guard with 6 pattern detection (detection-only, never blocks)
 - **Shell security**: Deny patterns for `curl|sh`, `wget|sh`, reverse shells, `eval`, `base64|sh`
 - **Network**: SSRF protection with blocked hosts + private IP + DNS pinning
 - **File system**: Path traversal prevention, workspace restriction
-- **Encryption**: AES-256-GCM for API keys in database
+- **Encryption**: AES-256-GCM for provider API keys in database
 - **Browser pairing**: Token-free browser auth with admin approval (pairing codes, auto-reconnect)
 - **Tailscale**: Optional VPN mesh listener for secure remote access (build-tag gated)
 
@@ -943,7 +950,8 @@ GOCLAW_OPENROUTER_API_KEY=sk-or-xxx go test -v ./tests/integration/ -timeout 120
 - **Cron scheduling** — `at`, `every`, and cron expression scheduling. Tested in production.
 - **Docker sandbox** — Isolated code execution in containers. Tested in production.
 - **Text-to-Speech** — OpenAI, ElevenLabs, Edge, MiniMax providers. Tested in production.
-- **HTTP API** — `/v1/chat/completions`, `/v1/agents`, `/v1/skills`, etc. Tested in production.
+- **HTTP API** — `/v1/chat/completions`, `/v1/agents`, `/v1/skills`, etc. Tested in production. Interactive Swagger UI at `/docs`.
+- **API key management** — Multi-key auth with RBAC scopes, SHA-256 hashed storage, show-once pattern, optional expiry, revocation. HTTP + WebSocket CRUD. Web UI for management.
 - **Hooks system** — Event-driven hooks with command evaluators (shell exit code) and agent evaluators (delegate to reviewer). Blocking gates with auto-retry and recursion-safe evaluation.
 - **Media tools** — `create_image` (DashScope, MiniMax), `create_audio` (OpenAI, ElevenLabs, MiniMax, Suno), `create_video` (MiniMax, Veo), `read_document` (Gemini File API), `read_image`, `read_audio`, `read_video`. Persistent media storage with lazy-loaded MediaRef.
 - **Additional provider modes** — Claude CLI (Anthropic via stdio + MCP bridge), Codex (OpenAI gpt-5.3-codex via OAuth).
diff --git a/cmd/gateway.go b/cmd/gateway.go
index c9268db8..396548d8 100644
--- a/cmd/gateway.go
+++ b/cmd/gateway.go
@@ -739,6 +739,15 @@ func runGateway() {
 		server.SetUsageHandler(httpapi.NewUsageHandler(pgStores.Snapshots, pgStores.DB, cfg.Gateway.Token))
 	}
 
+	// API key management
+	// API documentation (OpenAPI spec + Swagger UI at /docs)
+	server.SetDocsHandler(httpapi.NewDocsHandler(cfg.Gateway.Token))
+
+	if pgStores != nil && pgStores.APIKeys != nil {
+		server.SetAPIKeysHandler(httpapi.NewAPIKeysHandler(pgStores.APIKeys, cfg.Gateway.Token, msgBus))
+		server.SetAPIKeyStore(pgStores.APIKeys)
+	}
+
 	// Memory management API (wired directly, only needs MemoryStore + token)
 	if pgStores != nil && pgStores.Memory != nil {
 		server.SetMemoryHandler(httpapi.NewMemoryHandler(pgStores.Memory, cfg.Gateway.Token))
@@ -981,6 +990,11 @@ func runGateway() {
 	// Pass DB so summary cards still work when quota is disabled (queries traces directly).
 	methods.NewQuotaMethods(quotaChecker, pgStores.DB).Register(server.Router())
 
+	// API key management RPC
+	if pgStores.APIKeys != nil {
+		methods.NewAPIKeysMethods(pgStores.APIKeys).Register(server.Router())
+	}
+
 	// Reload quota config on config changes via pub/sub.
 	if quotaChecker != nil {
 		msgBus.Subscribe("quota-config-reload", func(evt bus.Event) {
diff --git a/docs/17-changelog.md b/docs/17-changelog.md
index 8e41bfb7..1d29b063 100644
--- a/docs/17-changelog.md
+++ b/docs/17-changelog.md
@@ -8,6 +8,31 @@ All notable changes to GoClaw Gateway are documented here. Format follows [Keep
 
 ### Added
 
+#### API Key Management
+- **Multi-key auth**: Multiple API keys with `goclaw_` prefix, SHA-256 hashed storage, show-once pattern
+- **RBAC scopes**: `operator.admin`, `operator.read`, `operator.write`, `operator.approvals`, `operator.pairing`
+- **HTTP + WS**: Full CRUD via `/v1/api-keys` and `api_keys.*` RPC methods
+- **Web UI**: Create dialog with scope checkboxes, expiry options, revoke confirmation
+- **Migration**: `000020_api_keys` — `api_keys` table with partial index on active key hashes
+- **Backward compatible**: Existing gateway token continues to work as admin
+
+#### Interactive API Documentation
+- **Swagger UI** at `/docs` with embedded OpenAPI 3.0 spec at `/v1/openapi.json`
+- **Coverage**: 130+ HTTP endpoints across 18 tag groups
+- **Sidebar link**: API Docs entry in System group (opens in new tab)
+
+### Documentation
+
+- Added `18-http-api.md` — Complete HTTP REST API reference (all endpoints, auth, error codes)
+- Added `19-websocket-rpc.md` — Complete WebSocket RPC method catalog (64+ methods, permission matrix)
+- Added `20-api-keys-auth.md` — API key authentication, RBAC scopes, security model, usage examples
+
+---
+
+## [ACP Provider Release]
+
+### Added
+
 #### ACP Provider (Agent Client Protocol)
 - **New provider**: ACP provider enables orchestration of external coding agents (Claude Code, Codex CLI, Gemini CLI) as JSON-RPC 2.0 subprocesses over stdio
 - **ProcessPool**: Manages subprocess lifecycle with idle TTL reaping and automatic crash recovery
diff --git a/docs/18-http-api.md b/docs/18-http-api.md
new file mode 100644
index 00000000..671d0f24
--- /dev/null
+++ b/docs/18-http-api.md
@@ -0,0 +1,584 @@
+# 18 — HTTP REST API
+
+GoClaw exposes a comprehensive HTTP REST API alongside the WebSocket RPC protocol. All endpoints are served from the same gateway server and share authentication, rate limiting, and i18n infrastructure.
+
+Interactive documentation is available at `/docs` (Swagger UI) and the raw OpenAPI 3.0 spec at `/v1/openapi.json`.
+
+---
+
+## 1. Authentication
+
+All HTTP endpoints (except `/health`) require authentication via Bearer token in the `Authorization` header:
+
+```
+Authorization: Bearer <token>
+```
+
+Two token types are accepted:
+
+| Type | Format | Scope |
+|------|--------|-------|
+| Gateway token | Configured in `config.json` | Full admin access |
+| API key | `goclaw_` + 32 hex chars | Scoped by key permissions |
+
+API keys are hashed with SHA-256 before lookup — the raw key is never stored. See [20 — API Keys & Auth](20-api-keys-auth.md) for details.
+
+> Some endpoints accept the token as a query parameter `?token=<token>` for use in `<img>` and `<audio>` tags (e.g., `/v1/files/`, `/v1/media/`).
+
+### Common Headers
+
+| Header | Purpose |
+|--------|---------|
+| `Authorization` | Bearer token for authentication |
+| `X-GoClaw-User-Id` | External user ID for multi-tenant context |
+| `X-GoClaw-Agent-Id` | Agent identifier for scoped operations |
+| `Accept-Language` | Locale (`en`, `vi`, `zh`) for i18n error messages |
+| `Content-Type` | `application/json` for request bodies |
+
+---
+
+## 2. Chat Completions
+
+OpenAI-compatible chat API for programmatic access to agents.
+
+### `POST /v1/chat/completions`
+
+```json
+{
+  "model": "goclaw:agent-id-or-key",
+  "messages": [
+    {"role": "user", "content": "Hello"}
+  ],
+  "stream": false,
+  "user": "optional-user-id"
+}
+```
+
+**Response** (non-streaming):
+
+```json
+{
+  "id": "chatcmpl-...",
+  "object": "chat.completion",
+  "choices": [{
+    "index": 0,
+    "message": {"role": "assistant", "content": "..."},
+    "finish_reason": "stop"
+  }],
+  "usage": {"prompt_tokens": 10, "completion_tokens": 20, "total_tokens": 30}
+}
+```
+
+**Streaming:** Set `"stream": true` to receive Server-Sent Events (SSE) with `data: {...}` chunks, terminated by `data: [DONE]`.
+
+**Rate limiting:** Per-IP when `rate_limit_rpm` is configured.
+
+---
+
+## 3. OpenResponses Protocol
+
+### `POST /v1/responses`
+
+Alternative response-based protocol (compatible with OpenAI Responses API). Accepts the same auth and returns structured response objects.
+
+---
+
+## 4. Agents
+
+CRUD operations for agent management. Requires `X-GoClaw-User-Id` header for multi-tenant context.
+
+| Method | Path | Description | Auth |
+|--------|------|-------------|------|
+| `GET` | `/v1/agents` | List agents accessible by user | Bearer |
+| `POST` | `/v1/agents` | Create new agent | Bearer |
+| `GET` | `/v1/agents/{id}` | Get agent by ID or key | Bearer |
+| `PUT` | `/v1/agents/{id}` | Update agent (owner only) | Bearer |
+| `DELETE` | `/v1/agents/{id}` | Delete agent (owner only) | Bearer |
+
+### Shares
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/agents/{id}/shares` | List agent shares |
+| `POST` | `/v1/agents/{id}/shares` | Share agent with user |
+| `DELETE` | `/v1/agents/{id}/shares/{userID}` | Revoke share |
+
+### Agent Actions
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/agents/{id}/regenerate` | Regenerate agent config with custom prompt |
+| `POST` | `/v1/agents/{id}/resummon` | Retry initial LLM summoning |
+
+### Predefined Agent Instances
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/agents/{id}/instances` | List user instances |
+| `GET` | `/v1/agents/{id}/instances/{userID}/files` | Get user context files |
+| `PUT` | `/v1/agents/{id}/instances/{userID}/files/{fileName}` | Update user file (USER.md only) |
+| `PATCH` | `/v1/agents/{id}/instances/{userID}/metadata` | Update instance metadata |
+
+### Wake (External Trigger)
+
+```
+POST /v1/agents/{id}/wake
+```
+
+```json
+{
+  "message": "Process new data",
+  "session_key": "optional-session",
+  "user_id": "optional-user",
+  "metadata": {}
+}
+```
+
+Response: `{content, run_id, usage?}`. Used by orchestrators (n8n, Paperclip) to trigger agent runs.
+
+---
+
+## 5. Skills
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/skills` | List all skills |
+| `POST` | `/v1/skills/upload` | Upload ZIP with SKILL.md (20 MB limit) |
+| `GET` | `/v1/skills/{id}` | Get skill details |
+| `PUT` | `/v1/skills/{id}` | Update skill metadata |
+| `DELETE` | `/v1/skills/{id}` | Delete skill (not system skills) |
+| `POST` | `/v1/skills/{id}/toggle` | Enable/disable skill |
+
+### Skill Grants
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/skills/{id}/grants/agent` | Grant skill to agent |
+| `DELETE` | `/v1/skills/{id}/grants/agent/{agentID}` | Revoke from agent |
+| `POST` | `/v1/skills/{id}/grants/user` | Grant skill to user |
+| `DELETE` | `/v1/skills/{id}/grants/user/{userID}` | Revoke from user |
+| `GET` | `/v1/agents/{agentID}/skills` | List skills with grant status |
+
+### Skill Files & Dependencies
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/skills/{id}/versions` | List available versions |
+| `GET` | `/v1/skills/{id}/files` | List files in skill |
+| `GET` | `/v1/skills/{id}/files/{path...}` | Read file content |
+| `POST` | `/v1/skills/rescan-deps` | Rescan runtime dependencies |
+| `POST` | `/v1/skills/install-deps` | Install all missing deps |
+| `POST` | `/v1/skills/install-dep` | Install single dependency |
+| `GET` | `/v1/skills/runtimes` | Check runtime availability |
+
+---
+
+## 6. Providers
+
+LLM provider management. API keys are encrypted with AES-256-GCM in the database and masked in responses.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/providers` | List providers (keys masked) |
+| `POST` | `/v1/providers` | Create provider |
+| `GET` | `/v1/providers/{id}` | Get provider |
+| `PUT` | `/v1/providers/{id}` | Update provider |
+| `DELETE` | `/v1/providers/{id}` | Delete provider |
+
+### Provider Verification & Models
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/providers/{id}/verify` | Test provider+model with minimal LLM call |
+| `GET` | `/v1/providers/{id}/models` | Proxy to upstream provider model list |
+| `GET` | `/v1/providers/claude-cli/auth-status` | Check Claude CLI login status |
+
+**Supported types:** `anthropic_native`, `openai_compat`, `chatgpt_oauth`, `gemini_native`, `dashscope`, `bailian`, `minimax`, `claude_cli`, `acp`
+
+---
+
+## 7. Sessions
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/sessions` | List sessions (paginated) |
+| `GET` | `/v1/sessions/{key}` | Get session with messages |
+| `DELETE` | `/v1/sessions/{key}` | Delete session |
+| `POST` | `/v1/sessions/{key}/reset` | Clear session messages |
+| `PATCH` | `/v1/sessions/{key}` | Update label, model, metadata |
+
+---
+
+## 8. MCP Servers
+
+Model Context Protocol server management.
+
+### Server CRUD
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/mcp/servers` | List servers with agent grant counts |
+| `POST` | `/v1/mcp/servers` | Create MCP server |
+| `GET` | `/v1/mcp/servers/{id}` | Get server details |
+| `PUT` | `/v1/mcp/servers/{id}` | Update server |
+| `DELETE` | `/v1/mcp/servers/{id}` | Delete server |
+| `POST` | `/v1/mcp/servers/test` | Test connection (no save) |
+| `GET` | `/v1/mcp/servers/{id}/tools` | List runtime-discovered tools |
+
+### Agent Grants
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/mcp/servers/{id}/grants` | List grants for server |
+| `POST` | `/v1/mcp/servers/{id}/grants/agent` | Grant to agent |
+| `DELETE` | `/v1/mcp/servers/{id}/grants/agent/{agentID}` | Revoke from agent |
+| `GET` | `/v1/mcp/grants/agent/{agentID}` | List agent's server grants |
+
+### User Grants
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/mcp/servers/{id}/grants/user` | Grant to user |
+| `DELETE` | `/v1/mcp/servers/{id}/grants/user/{userID}` | Revoke from user |
+
+### Access Requests
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/mcp/requests` | Create access request |
+| `GET` | `/v1/mcp/requests` | List pending requests |
+| `POST` | `/v1/mcp/requests/{id}/review` | Approve/deny request |
+
+Grants support `tool_allow` and `tool_deny` JSON arrays for fine-grained tool filtering.
+
+---
+
+## 9. Tools
+
+### Built-in Tools
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/tools/builtin` | List all built-in tools |
+| `GET` | `/v1/tools/builtin/{name}` | Get tool definition |
+| `PUT` | `/v1/tools/builtin/{name}` | Update enabled/settings |
+
+### Custom Tools
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/tools/custom` | List custom tools (paginated) |
+| `POST` | `/v1/tools/custom` | Create custom tool |
+| `GET` | `/v1/tools/custom/{id}` | Get tool details |
+| `PUT` | `/v1/tools/custom/{id}` | Update tool |
+| `DELETE` | `/v1/tools/custom/{id}` | Delete tool |
+
+### Direct Invocation
+
+```
+POST /v1/tools/invoke
+```
+
+```json
+{
+  "tool": "web_fetch",
+  "action": "fetch",
+  "args": {"url": "https://example.com"},
+  "dryRun": false,
+  "agentId": "optional",
+  "channel": "optional",
+  "chatId": "optional",
+  "peerKind": "direct"
+}
+```
+
+Set `"dryRun": true` to return tool schema without execution.
+
+---
+
+## 10. Memory
+
+Per-agent vector memory using pgvector.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/memory/documents` | List all documents globally |
+| `GET` | `/v1/agents/{agentID}/memory/documents` | List documents for agent |
+| `GET` | `/v1/agents/{agentID}/memory/documents/{path...}` | Get document details |
+| `PUT` | `/v1/agents/{agentID}/memory/documents/{path...}` | Put/update document |
+| `DELETE` | `/v1/agents/{agentID}/memory/documents/{path...}` | Delete document |
+| `GET` | `/v1/agents/{agentID}/memory/chunks` | List chunks for document |
+| `POST` | `/v1/agents/{agentID}/memory/index` | Index single document |
+| `POST` | `/v1/agents/{agentID}/memory/index-all` | Index all documents |
+| `POST` | `/v1/agents/{agentID}/memory/search` | Semantic search |
+
+Optional query parameter `?user_id=` for per-user scoping.
+
+---
+
+## 11. Knowledge Graph
+
+Per-agent entity-relation graph.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/agents/{agentID}/kg/entities` | List/search entities (BM25) |
+| `GET` | `/v1/agents/{agentID}/kg/entities/{entityID}` | Get entity with relations |
+| `POST` | `/v1/agents/{agentID}/kg/entities` | Upsert entity |
+| `DELETE` | `/v1/agents/{agentID}/kg/entities/{entityID}` | Delete entity |
+| `POST` | `/v1/agents/{agentID}/kg/traverse` | Traverse graph (max depth 3) |
+| `POST` | `/v1/agents/{agentID}/kg/extract` | LLM-powered entity extraction |
+| `GET` | `/v1/agents/{agentID}/kg/stats` | Knowledge graph statistics |
+| `GET` | `/v1/agents/{agentID}/kg/graph` | Full graph for visualization |
+
+---
+
+## 12. Channels
+
+### Channel Instances
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/channels/instances` | List instances (paginated) |
+| `POST` | `/v1/channels/instances` | Create instance |
+| `GET` | `/v1/channels/instances/{id}` | Get instance |
+| `PUT` | `/v1/channels/instances/{id}` | Update instance |
+| `DELETE` | `/v1/channels/instances/{id}` | Delete instance (not default) |
+
+### Contacts
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/contacts` | List contacts (paginated) |
+| `GET` | `/v1/contacts/resolve?ids=...` | Resolve contacts by IDs (max 100) |
+
+### Group Writers
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/channels/instances/{id}/writers/groups` | List group file writers |
+| `GET` | `/v1/channels/instances/{id}/writers` | List writers for group |
+| `POST` | `/v1/channels/instances/{id}/writers` | Add writer to group |
+| `DELETE` | `/v1/channels/instances/{id}/writers/{userId}` | Remove writer |
+
+**Supported channels:** `telegram`, `discord`, `slack`, `whatsapp`, `zalo_oa`, `zalo_personal`, `feishu`
+
+Credentials are masked in HTTP responses.
+
+---
+
+## 13. Pending Messages
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/pending-messages` | List all groups with titles |
+| `GET` | `/v1/pending-messages/messages` | List messages by channel+key |
+| `DELETE` | `/v1/pending-messages` | Delete message group |
+| `POST` | `/v1/pending-messages/compact` | LLM-based summarization (async, 202) |
+
+Compaction runs in the background. Falls back to hard delete if no LLM provider is available.
+
+---
+
+## 14. Traces
+
+LLM call tracing and cost analysis.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/traces` | List traces (paginated, filterable) |
+| `GET` | `/v1/traces/{traceID}` | Get trace with spans |
+| `GET` | `/v1/traces/{traceID}/export` | Export trace tree (gzipped JSON) |
+| `GET` | `/v1/costs/summary` | Cost summary by agent/time range |
+
+**Filters:** `agent_id`, `user_id`, `session_key`, `status`, `channel`
+
+---
+
+## 15. Usage & Analytics
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/usage/timeseries` | Time-series usage points |
+| `GET` | `/v1/usage/breakdown` | Breakdown by provider/model/channel |
+| `GET` | `/v1/usage/summary` | Summary with period comparison |
+
+**Query params:** `from`, `to` (RFC 3339), `agent_id`, `provider`, `model`, `channel`, `group_by`
+
+**Periods:** `24h`, `today`, `7d`, `30d`
+
+---
+
+## 16. Activity & Audit
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/activity` | List activity audit logs (filterable) |
+
+---
+
+## 17. Storage
+
+Workspace file management.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/storage/files` | List files with depth limiting |
+| `GET` | `/v1/storage/files/{path...}` | Read file (JSON or raw) |
+| `DELETE` | `/v1/storage/files/{path...}` | Delete file/directory |
+| `GET` | `/v1/storage/size` | Stream storage size (SSE, cached 60 min) |
+
+Use `?raw=true` to serve native MIME type. Protected directories `skills/` and `skills-store/` cannot be deleted. Path traversal and symlink attacks are blocked.
+
+---
+
+## 18. Media
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/v1/media/upload` | Upload file (multipart, 50 MB limit) |
+| `GET` | `/v1/media/{id}` | Serve media by ID with caching |
+
+---
+
+## 19. Files
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/files/{path...}` | Serve workspace file by path |
+
+Auth via Bearer token or `?token=` query param (for `<img>` tags). MIME type auto-detected. Path traversal blocked.
+
+---
+
+## 20. API Keys
+
+Admin-only endpoints for managing gateway API keys. See [20 — API Keys & Auth](20-api-keys-auth.md) for the full authentication and authorization model.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/api-keys` | List all API keys (masked) |
+| `POST` | `/v1/api-keys` | Create API key (returns raw key once) |
+| `DELETE` | `/v1/api-keys/{id}` | Revoke API key |
+
+### Create Request
+
+```json
+{
+  "name": "ci-deploy",
+  "scopes": ["operator.read", "operator.write"],
+  "expires_in": 2592000
+}
+```
+
+### Create Response
+
+```json
+{
+  "id": "01961234-...",
+  "name": "ci-deploy",
+  "prefix": "goclaw_a1b2c3d4",
+  "key": "goclaw_a1b2c3d4e5f6...full-key",
+  "scopes": ["operator.read", "operator.write"],
+  "expires_at": "2026-04-14T12:00:00Z",
+  "created_at": "2026-03-15T12:00:00Z"
+}
+```
+
+> The `key` field is only returned in the create response. Subsequent list/get calls show only the `prefix`.
+
+---
+
+## 21. OAuth
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/auth/openai/status` | Check OpenAI auth status |
+| `POST` | `/v1/auth/openai/start` | Start OAuth flow |
+| `POST` | `/v1/auth/openai/callback` | Manual callback handler |
+| `POST` | `/v1/auth/openai/logout` | Revoke token |
+
+---
+
+## 22. System
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/health` | Health check (no auth) |
+| `GET` | `/v1/openapi.json` | OpenAPI 3.0 spec |
+| `GET` | `/docs` | Swagger UI |
+
+### Health Response
+
+```json
+{
+  "status": "ok",
+  "protocol": 3
+}
+```
+
+---
+
+## 23. MCP Bridge
+
+Exposes GoClaw tools to Claude CLI via streamable HTTP at `/mcp/bridge`. Only listens on localhost. Protected by gateway token with HMAC-signed context headers.
+
+| Header | Purpose |
+|--------|---------|
+| `X-Agent-ID` | Agent context for tool execution |
+| `X-User-ID` | User context |
+| `X-Channel` | Channel routing |
+| `X-Chat-ID` | Chat routing |
+| `X-Peer-Kind` | `direct` or `group` |
+| `X-Bridge-Sig` | HMAC signature over all context fields |
+
+---
+
+## Error Responses
+
+All endpoints return errors in a consistent JSON format:
+
+```json
+{
+  "error": "human-readable error message"
+}
+```
+
+Error messages are localized based on the `Accept-Language` header. HTTP status codes follow standard conventions:
+
+| Code | Meaning |
+|------|---------|
+| `400` | Bad request (invalid JSON, missing fields) |
+| `401` | Unauthorized (missing or invalid token) |
+| `403` | Forbidden (insufficient permissions) |
+| `404` | Not found |
+| `409` | Conflict (duplicate name, version mismatch) |
+| `429` | Rate limited |
+| `500` | Internal server error |
+
+---
+
+## File Reference
+
+| File | Purpose |
+|------|---------|
+| `internal/http/chat_completions.go` | OpenAI-compatible chat API |
+| `internal/http/responses.go` | OpenResponses protocol |
+| `internal/http/agents.go` | Agent CRUD + shares |
+| `internal/http/skills.go` | Skill management |
+| `internal/http/providers.go` | Provider CRUD |
+| `internal/http/mcp.go` | MCP server management |
+| `internal/http/custom_tools.go` | Custom tool CRUD |
+| `internal/http/builtin_tools.go` | Built-in tool management |
+| `internal/http/channel_instances.go` | Channel instance management |
+| `internal/http/memory.go` | Memory document management |
+| `internal/http/knowledge_graph.go` | Knowledge graph API |
+| `internal/http/traces.go` | LLM trace listing |
+| `internal/http/usage.go` | Usage analytics |
+| `internal/http/activity.go` | Activity audit log |
+| `internal/http/storage.go` | Workspace file management |
+| `internal/http/api_keys.go` | API key management |
+| `internal/http/auth.go` | Authentication helpers |
+| `internal/http/openapi.go` | OpenAPI spec + Swagger UI |
+| `internal/gateway/server.go` | HTTP mux and route wiring |
+| `cmd/gateway.go` | Handler instantiation and wiring |
diff --git a/docs/19-websocket-rpc.md b/docs/19-websocket-rpc.md
new file mode 100644
index 00000000..1dcde572
--- /dev/null
+++ b/docs/19-websocket-rpc.md
@@ -0,0 +1,534 @@
+# 19 — WebSocket RPC Methods
+
+GoClaw's primary control plane is a WebSocket-based JSON-RPC protocol (v3). Clients connect to `/ws`, authenticate via `connect`, then exchange request/response/event frames.
+
+For the wire protocol, frame format, and connection lifecycle, see [04 — Gateway Protocol](04-gateway-protocol.md). This document catalogs every available RPC method.
+
+---
+
+## 1. Connection & System
+
+### `connect`
+
+Establish an authenticated session. Must be the first request after WebSocket upgrade.
+
+**Request:**
+
+```json
+{
+  "token": "gateway-token-or-api-key",
+  "user_id": "external-user-id",
+  "sender_id": "optional-device-id",
+  "locale": "en"
+}
+```
+
+**Response:**
+
+```json
+{
+  "protocol": 3,
+  "role": "admin",
+  "user_id": "user-123",
+  "server": {
+    "version": "1.0.0",
+    "uptime": "2h30m"
+  }
+}
+```
+
+**Auth flow:** Gateway token → timing-safe compare → admin role. If no match, SHA-256 hash → API key lookup → role derived from scopes. Pairing codes also accepted for channel devices.
+
+### `health`
+
+Server health and connected clients.
+
+**Response:**
+
+```json
+{
+  "status": "ok",
+  "version": "1.0.0",
+  "uptime": "2h30m",
+  "mode": "managed",
+  "database": "ok",
+  "tools": ["exec", "web_fetch", "memory", "..."],
+  "clients": [{"id": "...", "role": "admin", "user_id": "..."}],
+  "currentId": "client-uuid"
+}
+```
+
+### `status`
+
+Quick agent/session/client counts.
+
+**Response:**
+
+```json
+{
+  "agents": [{"id": "...", "name": "...", "isRunning": false}],
+  "agentTotal": 5,
+  "clients": 2,
+  "sessions": 42
+}
+```
+
+---
+
+## 2. Chat
+
+### `chat.send`
+
+Send a message to an agent and trigger execution.
+
+**Request:**
+
+```json
+{
+  "message": "Hello, agent",
+  "agentId": "uuid-or-key",
+  "sessionKey": "optional-session",
+  "stream": true,
+  "media": [{"type": "image", "url": "..."}]
+}
+```
+
+**Response:**
+
+```json
+{
+  "runId": "uuid",
+  "content": "Agent response text",
+  "usage": {"input_tokens": 100, "output_tokens": 50},
+  "media": []
+}
+```
+
+When `stream: true`, intermediate events are emitted: `chunk`, `tool.call`, `tool.result`, `run.started`, `run.completed`.
+
+### `chat.history`
+
+Retrieve chat history for a session.
+
+**Request:** `{agentId, sessionKey}`
+**Response:** `{messages: [{role, content, timestamp, ...}]}`
+
+### `chat.abort`
+
+Cancel running agent invocations.
+
+**Request:** `{sessionKey?, runId?}`
+**Response:** `{ok: true, aborted: 1, runIds: ["..."]}`
+
+### `chat.inject`
+
+Inject a message into the session transcript without triggering the agent.
+
+**Request:** `{sessionKey, message, label}`
+**Response:** `{ok: true, messageId: "..."}`
+
+---
+
+## 3. Agents
+
+### `agents.list`
+
+List all agents.
+
+**Response:** `{agents: [{id, name, key, emoji, avatar, agent_type, ...}]}`
+
+### `agent`
+
+Get single agent status.
+
+**Request:** `{agentId}`
+**Response:** `{id, isRunning}`
+
+### `agent.wait`
+
+Wait for agent completion.
+
+**Request:** `{agentId}`
+**Response:** `{id, status}`
+
+### `agent.identity.get`
+
+Get agent identity (name, emoji, avatar, description).
+
+**Request:** `{agentId?, sessionKey?}`
+**Response:** `{agentId, name, emoji, avatar, description}`
+
+### `agents.create`
+
+Create a new agent (admin only).
+
+**Request:**
+
+```json
+{
+  "name": "My Agent",
+  "workspace": "~/agents/my-agent",
+  "emoji": "🤖",
+  "agent_type": "open",
+  "owner_ids": ["user-1"],
+  "tools_config": {},
+  "memory_config": {},
+  "sandbox_config": {}
+}
+```
+
+**Response:** `{ok: true, agentId: "uuid", name, workspace}`
+
+### `agents.update`
+
+Update agent properties (admin only).
+
+**Request:** `{agentId, name?, model?, avatar?, tools_config?, ...}`
+**Response:** `{ok: true, agentId}`
+
+### `agents.delete`
+
+Delete an agent (admin only).
+
+**Request:** `{agentId, deleteFiles: false}`
+**Response:** `{ok: true, agentId, removedBindings: 2}`
+
+### Agent Context Files
+
+| Method | Description |
+|--------|-------------|
+| `agents.files.list` | List allowed context files |
+| `agents.files.get` | Get file content |
+| `agents.files.set` | Save file content |
+
+**Request:** `{agentId, name?, content?}`
+
+### Agent Links (Delegations)
+
+| Method | Description |
+|--------|-------------|
+| `agents.links.list` | List delegation links (direction: from/to/all) |
+| `agents.links.create` | Create link between agents |
+| `agents.links.update` | Update link settings |
+| `agents.links.delete` | Delete link |
+
+---
+
+## 4. Sessions
+
+| Method | Description |
+|--------|-------------|
+| `sessions.list` | List sessions (paginated) |
+| `sessions.preview` | Get session history + summary |
+| `sessions.patch` | Update label, model, metadata |
+| `sessions.delete` | Delete session |
+| `sessions.reset` | Clear session messages |
+
+**`sessions.list` request:** `{agentId, limit, offset}`
+**Response:** `{sessions[], total, limit, offset}`
+
+---
+
+## 5. Config
+
+### `config.get`
+
+Get current configuration.
+
+**Response:** `{config: {...}, hash: "sha256", path: "/path/to/config.json"}`
+
+### `config.apply`
+
+Replace entire config (admin only). Uses optimistic locking via `baseHash`.
+
+**Request:** `{raw: "json5 content", baseHash: "sha256"}`
+**Response:** `{ok, path, config, hash, restart: false}`
+
+### `config.patch`
+
+Merge partial config update (admin only).
+
+**Request:** `{raw: "{gateway: {port: 9090}}", baseHash: "sha256"}`
+**Response:** `{ok, path, config, hash, restart: true}`
+
+### `config.schema`
+
+Get JSON schema for config form generation.
+
+**Response:** `{json: {...schema...}}`
+
+---
+
+## 6. Skills
+
+| Method | Description |
+|--------|-------------|
+| `skills.list` | List all available skills |
+| `skills.get` | Get skill metadata and content |
+| `skills.update` | Update skill metadata (DB-backed only) |
+
+---
+
+## 7. Cron
+
+| Method | Description |
+|--------|-------------|
+| `cron.list` | List cron jobs |
+| `cron.create` | Create scheduled job |
+| `cron.update` | Update job settings |
+| `cron.delete` | Delete job |
+| `cron.toggle` | Enable/disable job |
+| `cron.status` | Get scheduler status |
+| `cron.run` | Trigger immediate execution |
+| `cron.runs` | List execution history |
+
+### `cron.create` Request
+
+```json
+{
+  "name": "daily-report",
+  "schedule": "every day at 09:00",
+  "message": "Generate daily report",
+  "deliver": "channel",
+  "channel": "telegram",
+  "to": "chat-id",
+  "agentId": "uuid"
+}
+```
+
+---
+
+## 8. Channels
+
+| Method | Description |
+|--------|-------------|
+| `channels.list` | List enabled channels |
+| `channels.status` | Get channel connection status |
+
+### Channel Instances
+
+| Method | Description |
+|--------|-------------|
+| `channels.instances.list` | List instances |
+| `channels.instances.get` | Get instance details |
+| `channels.instances.create` | Create instance |
+| `channels.instances.update` | Update instance |
+| `channels.instances.delete` | Delete instance |
+
+---
+
+## 9. Device Pairing
+
+| Method | Description | Auth |
+|--------|-------------|------|
+| `device.pair.request` | Request pairing (from device) | Unauthenticated |
+| `device.pair.approve` | Approve request (from admin) | Admin |
+| `device.pair.deny` | Deny request | Admin |
+| `device.pair.list` | List pending + paired devices | Admin |
+| `device.pair.revoke` | Revoke device | Admin |
+| `browser.pairing.status` | Poll pairing status | Unauthenticated |
+
+### Pairing Flow
+
+```mermaid
+sequenceDiagram
+    Device->>Gateway: device.pair.request {senderId, channel}
+    Gateway-->>Device: {code: "A1B2C3D4"}
+    Device->>Gateway: browser.pairing.status {sender_id} (poll)
+    Admin->>Gateway: device.pair.approve {code, approvedBy}
+    Gateway-->>Device: {status: "approved"}
+```
+
+---
+
+## 10. Teams
+
+### Team CRUD
+
+| Method | Description |
+|--------|-------------|
+| `teams.list` | List all teams |
+| `teams.create` | Create team (admin only) |
+| `teams.get` | Get team with members |
+| `teams.update` | Update team properties |
+| `teams.delete` | Delete team |
+
+### Members
+
+| Method | Description |
+|--------|-------------|
+| `teams.members.add` | Add agent to team with role |
+| `teams.members.remove` | Remove agent from team |
+
+### Tasks
+
+| Method | Description |
+|--------|-------------|
+| `teams.tasks.list` | List team tasks (filterable) |
+| `teams.tasks.get` | Get task with comments/events |
+| `teams.tasks.create` | Create task |
+| `teams.tasks.approve` | Approve task |
+| `teams.tasks.reject` | Reject task |
+| `teams.tasks.comment` | Add comment |
+| `teams.tasks.comments` | List comments |
+| `teams.tasks.events` | List task events |
+| `teams.tasks.assign` | Assign to member |
+
+### Workspace
+
+| Method | Description |
+|--------|-------------|
+| `teams.workspace.list` | List workspace items |
+| `teams.workspace.read` | Read workspace file |
+| `teams.workspace.delete` | Delete workspace item |
+
+---
+
+## 11. Exec Approvals
+
+| Method | Description |
+|--------|-------------|
+| `exec.approval.list` | List pending command approvals |
+| `exec.approval.approve` | Approve (optionally always for this command) |
+| `exec.approval.deny` | Deny command execution |
+
+---
+
+## 12. Delegations
+
+| Method | Description |
+|--------|-------------|
+| `delegations.list` | List delegation history (filterable) |
+| `delegations.get` | Get delegation record |
+
+**Filters:** `source_agent_id`, `target_agent_id`, `team_id`, `user_id`, `status`
+
+---
+
+## 13. Usage & Quotas
+
+| Method | Description |
+|--------|-------------|
+| `usage.get` | Get usage records by agent |
+| `usage.summary` | Get summary of token usage |
+| `quota.usage` | Get quota consumption |
+
+---
+
+## 14. API Keys
+
+Admin-only methods.
+
+| Method | Description |
+|--------|-------------|
+| `api_keys.list` | List API keys (masked) |
+| `api_keys.create` | Create new API key |
+| `api_keys.revoke` | Revoke an API key |
+
+See [20 — API Keys & Auth](20-api-keys-auth.md) for the full authentication model.
+
+---
+
+## 15. Messaging
+
+### `send`
+
+Route an outbound message to a channel.
+
+**Request:** `{channel: "telegram", to: "chat-id", message: "Hello"}`
+**Response:** `{ok: true, channel, to}`
+
+---
+
+## 16. Logs
+
+### `logs.tail`
+
+Start or stop live log streaming.
+
+**Request:** `{action: "start", level: "info"}`
+**Response:** `{status: "started", level: "info"}`
+
+Log entries are delivered as events while tailing is active.
+
+---
+
+## 17. Permission Matrix
+
+Methods are gated by role. The role is determined at `connect` time from the token type and scopes.
+
+| Role | Access |
+|------|--------|
+| **Admin** | All methods |
+| **Operator** | Read + write operations (chat, sessions, cron, approvals, send) |
+| **Viewer** | Read-only (list, get, preview, status, history) |
+
+### Admin-Only Methods
+
+`config.apply`, `config.patch`, `agents.create`, `agents.update`, `agents.delete`, `agents.links.*`, `channels.toggle`, `device.pair.approve`, `device.pair.deny`, `device.pair.revoke`, `teams.*`, `api_keys.*`
+
+### Write Methods (Operator+)
+
+`chat.send`, `chat.abort`, `chat.inject`, `sessions.delete`, `sessions.reset`, `sessions.patch`, `cron.*`, `skills.update`, `exec.approval.*`, `send`, `teams.tasks.*`
+
+### Read Methods (Viewer+)
+
+All other methods: list, get, preview, status, history, etc.
+
+---
+
+## 18. Events
+
+The server pushes events to connected clients via event frames. Key event types:
+
+| Event | Description |
+|-------|-------------|
+| `run.started` | Agent run began |
+| `run.completed` | Agent run finished |
+| `chunk` | Streaming text chunk |
+| `tool.call` | Tool invocation started |
+| `tool.result` | Tool invocation completed |
+| `session.updated` | Session metadata changed |
+| `agent.updated` | Agent config changed |
+| `cron.fired` | Cron job triggered |
+| `team.task.*` | Team task lifecycle events |
+| `exec.approval.pending` | Command awaiting approval |
+
+---
+
+## File Reference
+
+| File | Purpose |
+|------|---------|
+| `internal/gateway/router.go` | Method dispatch + auth + connect handler |
+| `internal/gateway/client.go` | WebSocket client + frame reading |
+| `internal/gateway/server.go` | Server + mux setup |
+| `internal/gateway/methods/chat.go` | Chat send/history/abort/inject |
+| `internal/gateway/methods/agents.go` | Agent list/status |
+| `internal/gateway/methods/agents_create.go` | Agent creation |
+| `internal/gateway/methods/agents_update.go` | Agent update |
+| `internal/gateway/methods/agents_delete.go` | Agent deletion |
+| `internal/gateway/methods/agents_files.go` | Agent context files |
+| `internal/gateway/methods/agents_identity.go` | Agent identity |
+| `internal/gateway/methods/agent_links.go` | Agent delegation links |
+| `internal/gateway/methods/config.go` | Config get/apply/patch/schema |
+| `internal/gateway/methods/sessions.go` | Session CRUD |
+| `internal/gateway/methods/skills.go` | Skill list/get/update |
+| `internal/gateway/methods/cron.go` | Cron job management |
+| `internal/gateway/methods/channels.go` | Channel listing |
+| `internal/gateway/methods/channel_instances.go` | Channel instance CRUD |
+| `internal/gateway/methods/pairing.go` | Device pairing flow |
+| `internal/gateway/methods/teams.go` | Team list |
+| `internal/gateway/methods/teams_crud.go` | Team CRUD |
+| `internal/gateway/methods/teams_members.go` | Team membership |
+| `internal/gateway/methods/teams_tasks.go` | Team task management |
+| `internal/gateway/methods/teams_workspace.go` | Team workspace |
+| `internal/gateway/methods/exec_approval.go` | Exec approval flow |
+| `internal/gateway/methods/delegations.go` | Delegation history |
+| `internal/gateway/methods/usage.go` | Usage records |
+| `internal/gateway/methods/quota_methods.go` | Quota consumption |
+| `internal/gateway/methods/api_keys.go` | API key management |
+| `internal/gateway/methods/send.go` | Outbound messaging |
+| `internal/gateway/methods/logs.go` | Log tailing |
+| `internal/permissions/policy.go` | RBAC policy engine |
+| `pkg/protocol/methods.go` | Method name constants |
diff --git a/docs/20-api-keys-auth.md b/docs/20-api-keys-auth.md
new file mode 100644
index 00000000..9de9144b
--- /dev/null
+++ b/docs/20-api-keys-auth.md
@@ -0,0 +1,288 @@
+# 20 — API Keys & Authentication
+
+GoClaw supports two authentication mechanisms: a single gateway token (configured at startup) and multiple API keys with fine-grained RBAC scopes. Both work across HTTP REST and WebSocket RPC.
+
+---
+
+## 1. Gateway Token
+
+The gateway token is set in `config.json` under `gateway.token`. It grants full admin access.
+
+```json5
+{
+  "gateway": {
+    "token": "my-secret-token"
+  }
+}
+```
+
+Used as a Bearer token:
+
+```
+Authorization: Bearer my-secret-token
+```
+
+Or in WebSocket `connect`:
+
+```json
+{"method": "connect", "params": {"token": "my-secret-token", "user_id": "admin"}}
+```
+
+> The gateway token is compared using timing-safe comparison to prevent timing attacks.
+
+---
+
+## 2. API Keys
+
+API keys provide scoped, revocable access for CI/CD, integrations, and third-party clients.
+
+### Key Format
+
+```
+goclaw_a1b2c3d4e5f6789012345678901234567890abcdef
+```
+
+- **Prefix:** `goclaw_` (6 chars)
+- **Random:** 32 hex characters (128 bits of entropy)
+- **Display prefix:** `goclaw_` + first 8 hex chars (shown in UI after creation)
+
+### Security Model
+
+Keys are hashed with SHA-256 before storage — the raw key is never persisted. This follows the same pattern as GitHub Personal Access Tokens.
+
+```
+raw key → SHA-256 → stored hash
+```
+
+On authentication, the incoming token is hashed and looked up in the `api_keys` table via a partial index on non-revoked keys.
+
+### Show-Once Pattern
+
+The raw key is returned **only once** in the create response. All subsequent list/get calls show only the `prefix` field (first 8 chars after `goclaw_`). Users must copy the key immediately.
+
+---
+
+## 3. RBAC Scopes
+
+Each API key is assigned one or more scopes that determine what operations it can perform.
+
+| Scope | Description | Derived Role |
+|-------|-------------|-------------|
+| `operator.admin` | Full access (equivalent to gateway token) | Admin |
+| `operator.read` | Read-only access to all resources | Viewer |
+| `operator.write` | Read + write access (chat, sessions, cron) | Operator |
+| `operator.approvals` | Manage exec approvals | Operator |
+| `operator.pairing` | Manage device pairings | Operator |
+
+### Role Derivation
+
+The highest-privilege scope determines the effective role:
+
+```
+admin scope present    → RoleAdmin
+write/approvals/pairing → RoleOperator
+read only              → RoleViewer
+```
+
+The role is then used by the `PolicyEngine` to gate method access (see [19 — WebSocket RPC](19-websocket-rpc.md#17-permission-matrix)).
+
+---
+
+## 4. Authentication Flow
+
+```mermaid
+flowchart TD
+    A[Incoming request] --> B{Bearer token?}
+    B -->|No| C[401 Unauthorized]
+    B -->|Yes| D{Match gateway token?}
+    D -->|Yes| E[Admin role]
+    D -->|No| F[SHA-256 hash token]
+    F --> G{Lookup in api_keys}
+    G -->|Not found| C
+    G -->|Found + revoked| C
+    G -->|Found + expired| C
+    G -->|Found + valid| H[Derive role from scopes]
+    H --> I[Set role on context]
+```
+
+This flow is identical for both HTTP (`internal/http/auth.go`) and WebSocket (`internal/gateway/router.go` — connect handler).
+
+### Last-Used Tracking
+
+On successful API key authentication, `last_used_at` is updated asynchronously (via goroutine) to avoid blocking the request path.
+
+---
+
+## 5. Database Schema
+
+```sql
+CREATE TABLE api_keys (
+    id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name        TEXT        NOT NULL,
+    prefix      TEXT        NOT NULL,
+    key_hash    TEXT        NOT NULL,
+    scopes      TEXT[]      NOT NULL DEFAULT '{}',
+    expires_at  TIMESTAMPTZ,
+    last_used_at TIMESTAMPTZ,
+    revoked     BOOLEAN     NOT NULL DEFAULT FALSE,
+    created_by  TEXT        NOT NULL DEFAULT '',
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE INDEX idx_api_keys_hash_active
+    ON api_keys (key_hash)
+    WHERE NOT revoked;
+```
+
+The partial index ensures only active (non-revoked) keys are searched during authentication, keeping lookups fast regardless of how many keys have been revoked over time.
+
+---
+
+## 6. API Endpoints
+
+### HTTP REST
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/api-keys` | List all keys (masked) |
+| `POST` | `/v1/api-keys` | Create key |
+| `DELETE` | `/v1/api-keys/{id}` | Revoke key |
+
+### WebSocket RPC
+
+| Method | Description |
+|--------|-------------|
+| `api_keys.list` | List all keys (masked) |
+| `api_keys.create` | Create key |
+| `api_keys.revoke` | Revoke key |
+
+All API key management operations require admin access (gateway token or API key with `operator.admin` scope).
+
+### Create Request
+
+```json
+{
+  "name": "ci-deploy",
+  "scopes": ["operator.read", "operator.write"],
+  "expires_in": 2592000
+}
+```
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | string | Yes | Human-readable label |
+| `scopes` | string[] | Yes | Permission scopes |
+| `expires_in` | int | No | TTL in seconds (omit for no expiry) |
+
+### Create Response
+
+```json
+{
+  "id": "01961234-5678-7abc-def0-123456789012",
+  "name": "ci-deploy",
+  "prefix": "goclaw_a1b2c3d4",
+  "key": "goclaw_a1b2c3d4e5f6789012345678901234567890abcdef",
+  "scopes": ["operator.read", "operator.write"],
+  "expires_at": "2026-04-14T12:00:00Z",
+  "created_at": "2026-03-15T12:00:00Z"
+}
+```
+
+### List Response
+
+```json
+[
+  {
+    "id": "01961234-...",
+    "name": "ci-deploy",
+    "prefix": "goclaw_a1b2c3d4",
+    "scopes": ["operator.read", "operator.write"],
+    "expires_at": "2026-04-14T12:00:00Z",
+    "last_used_at": "2026-03-15T14:30:00Z",
+    "revoked": false,
+    "created_by": "admin",
+    "created_at": "2026-03-15T12:00:00Z"
+  }
+]
+```
+
+> Note: `key` field is absent in list responses. Only `prefix` is shown.
+
+---
+
+## 7. Backward Compatibility
+
+The gateway token continues to work exactly as before. API keys are an additional authentication path — no breaking changes to existing integrations.
+
+| Auth method | Before | After |
+|------------|--------|-------|
+| Gateway token | Admin access | Admin access (unchanged) |
+| API key | N/A | Scoped access per key |
+| Device pairing | Operator access | Operator access (unchanged) |
+
+---
+
+## 8. Web UI
+
+The API Keys management page is accessible from the sidebar under **System > API Keys** (admin only).
+
+Features:
+- **Create dialog:** Name, scope checkboxes, optional expiry (1 day, 7 days, 30 days, 90 days, never)
+- **Show-once dialog:** Displays the raw key with copy button after creation
+- **List view:** Searchable, paginated table with name, prefix, scopes, expiry, last used, status
+- **Revoke:** Confirmation dialog before revoking a key
+
+---
+
+## 9. Usage Examples
+
+### cURL with API Key
+
+```bash
+# List agents (read scope required)
+curl -H "Authorization: Bearer goclaw_a1b2c3d4..." \
+     http://localhost:9090/v1/agents
+
+# Send chat message (write scope required)
+curl -X POST -H "Authorization: Bearer goclaw_a1b2c3d4..." \
+     -H "Content-Type: application/json" \
+     -d '{"model":"goclaw:my-agent","messages":[{"role":"user","content":"Hello"}]}' \
+     http://localhost:9090/v1/chat/completions
+```
+
+### WebSocket with API Key
+
+```json
+{"id": 1, "method": "connect", "params": {
+  "token": "goclaw_a1b2c3d4e5f6...",
+  "user_id": "ci-bot"
+}}
+```
+
+### Create Key via API
+
+```bash
+curl -X POST -H "Authorization: Bearer gateway-admin-token" \
+     -H "Content-Type: application/json" \
+     -d '{"name":"ci","scopes":["operator.read","operator.write"]}' \
+     http://localhost:9090/v1/api-keys
+```
+
+---
+
+## File Reference
+
+| File | Purpose |
+|------|---------|
+| `internal/crypto/apikey.go` | Key generation + SHA-256 hashing |
+| `internal/store/api_key_store.go` | Store interface + `APIKeyData` struct |
+| `internal/store/pg/api_keys.go` | PostgreSQL implementation |
+| `internal/http/api_keys.go` | HTTP API handler |
+| `internal/http/auth.go` | HTTP auth middleware (resolveAPIKey) |
+| `internal/gateway/router.go` | WebSocket connect auth (API key path) |
+| `internal/gateway/methods/api_keys.go` | WebSocket RPC methods |
+| `internal/permissions/policy.go` | RBAC policy engine |
+| `internal/permissions/scope.go` | Scope constants + RoleFromScopes |
+| `migrations/000020_api_keys.up.sql` | Database migration |
+| `ui/web/src/pages/api-keys/` | Web UI components |
diff --git a/internal/crypto/apikey.go b/internal/crypto/apikey.go
new file mode 100644
index 00000000..085e84e2
--- /dev/null
+++ b/internal/crypto/apikey.go
@@ -0,0 +1,30 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+)
+
+const apiKeyPrefix = "goclaw_"
+
+// GenerateAPIKey creates a new API key with format "goclaw_<32hex>".
+// Returns the raw key (show once), its SHA-256 hash, and 8-char display prefix.
+func GenerateAPIKey() (raw, hash, displayPrefix string, err error) {
+	b := make([]byte, 16) // 16 bytes = 32 hex chars
+	if _, err = rand.Read(b); err != nil {
+		return "", "", "", fmt.Errorf("generate random bytes: %w", err)
+	}
+
+	raw = apiKeyPrefix + hex.EncodeToString(b)
+	hash = HashAPIKey(raw)
+	displayPrefix = hex.EncodeToString(b[:4]) // first 8 hex chars of the random part
+	return raw, hash, displayPrefix, nil
+}
+
+// HashAPIKey returns the SHA-256 hex digest of a raw API key.
+func HashAPIKey(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
diff --git a/internal/gateway/client.go b/internal/gateway/client.go
index ce5b7457..b76d006d 100644
--- a/internal/gateway/client.go
+++ b/internal/gateway/client.go
@@ -27,6 +27,7 @@ type Client struct {
 	remoteAddr  string    // peer IP (extracted from proxy headers or RemoteAddr)
 
 	locale string // user's preferred locale (e.g. "en", "vi", "zh")
+	scopes []permissions.Scope // API key scopes (empty = role-based auth, no scope restriction)
 
 	// Browser pairing state
 	pairingCode     string // 8-char code if pending approval
diff --git a/internal/gateway/methods/api_keys.go b/internal/gateway/methods/api_keys.go
new file mode 100644
index 00000000..cb816788
--- /dev/null
+++ b/internal/gateway/methods/api_keys.go
@@ -0,0 +1,149 @@
+package methods
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/nextlevelbuilder/goclaw/internal/crypto"
+	"github.com/nextlevelbuilder/goclaw/internal/gateway"
+	"github.com/nextlevelbuilder/goclaw/internal/i18n"
+	"github.com/nextlevelbuilder/goclaw/internal/permissions"
+	"github.com/nextlevelbuilder/goclaw/internal/store"
+	"github.com/nextlevelbuilder/goclaw/pkg/protocol"
+)
+
+// APIKeysMethods handles api_keys.list, api_keys.create, api_keys.revoke.
+type APIKeysMethods struct {
+	apiKeys store.APIKeyStore
+}
+
+// NewAPIKeysMethods creates a new API keys method handler.
+func NewAPIKeysMethods(apiKeys store.APIKeyStore) *APIKeysMethods {
+	return &APIKeysMethods{apiKeys: apiKeys}
+}
+
+// Register registers API key management RPC methods.
+func (m *APIKeysMethods) Register(router *gateway.MethodRouter) {
+	router.Register(protocol.MethodAPIKeysList, m.handleList)
+	router.Register(protocol.MethodAPIKeysCreate, m.handleCreate)
+	router.Register(protocol.MethodAPIKeysRevoke, m.handleRevoke)
+}
+
+func (m *APIKeysMethods) handleList(ctx context.Context, client *gateway.Client, req *protocol.RequestFrame) {
+	locale := store.LocaleFromContext(ctx)
+	keys, err := m.apiKeys.List(ctx)
+	if err != nil {
+		slog.Error("api_keys.list failed", "error", err)
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInternal, i18n.T(locale, i18n.MsgFailedToList, "API keys")))
+		return
+	}
+	if keys == nil {
+		keys = []store.APIKeyData{}
+	}
+	client.SendResponse(protocol.NewOKResponse(req.ID, keys))
+}
+
+func (m *APIKeysMethods) handleCreate(ctx context.Context, client *gateway.Client, req *protocol.RequestFrame) {
+	locale := store.LocaleFromContext(ctx)
+
+	var params struct {
+		Name      string   `json:"name"`
+		Scopes    []string `json:"scopes"`
+		ExpiresIn *int     `json:"expires_in"` // seconds; nil = never
+	}
+	if req.Params != nil {
+		if err := json.Unmarshal(req.Params, &params); err != nil {
+			client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgInvalidJSON)))
+			return
+		}
+	}
+
+	if params.Name == "" {
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgRequired, "name")))
+		return
+	}
+	if len(params.Scopes) == 0 {
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgRequired, "scopes")))
+		return
+	}
+
+	// Validate scopes
+	for _, s := range params.Scopes {
+		if !permissions.ValidScope(s) {
+			client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgInvalidRequest, "invalid scope: "+s)))
+			return
+		}
+	}
+
+	raw, hash, prefix, err := crypto.GenerateAPIKey()
+	if err != nil {
+		slog.Error("api_keys.generate failed", "error", err)
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInternal, i18n.T(locale, i18n.MsgInternalError, "key generation")))
+		return
+	}
+
+	now := time.Now()
+	key := &store.APIKeyData{
+		ID:        store.GenNewID(),
+		Name:      params.Name,
+		Prefix:    prefix,
+		KeyHash:   hash,
+		Scopes:    params.Scopes,
+		CreatedBy: store.UserIDFromContext(ctx),
+		CreatedAt: now,
+		UpdatedAt: now,
+	}
+
+	if params.ExpiresIn != nil && *params.ExpiresIn > 0 {
+		exp := now.Add(time.Duration(*params.ExpiresIn) * time.Second)
+		key.ExpiresAt = &exp
+	}
+
+	if err := m.apiKeys.Create(ctx, key); err != nil {
+		slog.Error("api_keys.create failed", "error", err)
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInternal, i18n.T(locale, i18n.MsgFailedToCreate, "API key", "internal error")))
+		return
+	}
+
+	client.SendResponse(protocol.NewOKResponse(req.ID, map[string]any{
+		"id":         key.ID,
+		"name":       key.Name,
+		"prefix":     key.Prefix,
+		"key":        raw,
+		"scopes":     key.Scopes,
+		"expires_at": key.ExpiresAt,
+		"created_at": key.CreatedAt,
+	}))
+}
+
+func (m *APIKeysMethods) handleRevoke(ctx context.Context, client *gateway.Client, req *protocol.RequestFrame) {
+	locale := store.LocaleFromContext(ctx)
+
+	var params struct {
+		ID string `json:"id"`
+	}
+	if req.Params != nil {
+		if err := json.Unmarshal(req.Params, &params); err != nil {
+			client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgInvalidJSON)))
+			return
+		}
+	}
+
+	id, err := uuid.Parse(params.ID)
+	if err != nil {
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrInvalidRequest, i18n.T(locale, i18n.MsgInvalidID, "API key")))
+		return
+	}
+
+	if err := m.apiKeys.Revoke(ctx, id); err != nil {
+		slog.Error("api_keys.revoke failed", "error", err, "id", params.ID)
+		client.SendResponse(protocol.NewErrorResponse(req.ID, protocol.ErrNotFound, i18n.T(locale, i18n.MsgNotFound, "API key", params.ID)))
+		return
+	}
+
+	client.SendResponse(protocol.NewOKResponse(req.ID, map[string]string{"status": "revoked"}))
+}
diff --git a/internal/gateway/router.go b/internal/gateway/router.go
index a6546a8d..f8a48c36 100644
--- a/internal/gateway/router.go
+++ b/internal/gateway/router.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"time"
 
+	"github.com/nextlevelbuilder/goclaw/internal/crypto"
 	"github.com/nextlevelbuilder/goclaw/internal/i18n"
 	"github.com/nextlevelbuilder/goclaw/internal/permissions"
 	"github.com/nextlevelbuilder/goclaw/internal/store"
@@ -99,7 +100,7 @@ func (r *MethodRouter) handleConnect(ctx context.Context, client *Client, req *p
 
 	configToken := r.server.cfg.Gateway.Token
 
-	// Path 1: Valid token → admin
+	// Path 1: Valid gateway token → admin
 	if configToken != "" && params.Token == configToken {
 		client.role = permissions.RoleAdmin
 		client.authenticated = true
@@ -108,6 +109,25 @@ func (r *MethodRouter) handleConnect(ctx context.Context, client *Client, req *p
 		return
 	}
 
+	// Path 1b: API key → role derived from scopes
+	if params.Token != "" && r.server.apiKeyStore != nil {
+		hash := crypto.HashAPIKey(params.Token)
+		keyData, err := r.server.apiKeyStore.GetByHash(ctx, hash)
+		if err == nil && keyData != nil {
+			scopes := make([]permissions.Scope, len(keyData.Scopes))
+			for i, s := range keyData.Scopes {
+				scopes[i] = permissions.Scope(s)
+			}
+			client.role = permissions.RoleFromScopes(scopes)
+			client.scopes = scopes
+			client.authenticated = true
+			client.userID = params.UserID
+			go r.server.apiKeyStore.TouchLastUsed(context.Background(), keyData.ID)
+			r.sendConnectResponse(client, req.ID)
+			return
+		}
+	}
+
 	// Path 2: No token configured → operator (backward compat)
 	if configToken == "" {
 		client.role = permissions.RoleOperator
diff --git a/internal/gateway/server.go b/internal/gateway/server.go
index b0f74fd1..75e4a66b 100644
--- a/internal/gateway/server.go
+++ b/internal/gateway/server.go
@@ -57,6 +57,9 @@ type Server struct {
 	mediaServeHandler       *httpapi.MediaServeHandler       // media serve endpoint
 	activityHandler         *httpapi.ActivityHandler         // activity audit log API
 	usageHandler            *httpapi.UsageHandler            // usage analytics API
+	apiKeysHandler     *httpapi.APIKeysHandler      // API key management
+	apiKeyStore        store.APIKeyStore            // for API key auth lookup
+	docsHandler        *httpapi.DocsHandler         // OpenAPI spec + Swagger UI
 	agentStore         store.AgentStore             // for context injection in tools_invoke
 	msgBus             *bus.MessageBus              // for MCP bridge media delivery
 
@@ -248,6 +251,10 @@ func (s *Server) BuildMux() *http.ServeMux {
 		s.mediaServeHandler.RegisterRoutes(mux)
 	}
 
+	if s.apiKeysHandler != nil {
+		s.apiKeysHandler.RegisterRoutes(mux)
+	}
+
 	if s.activityHandler != nil {
 		s.activityHandler.RegisterRoutes(mux)
 	}
@@ -256,6 +263,11 @@ func (s *Server) BuildMux() *http.ServeMux {
 		s.usageHandler.RegisterRoutes(mux)
 	}
 
+	// API documentation (OpenAPI spec + Swagger UI)
+	if s.docsHandler != nil {
+		s.docsHandler.RegisterRoutes(mux)
+	}
+
 	// OAuth endpoints (available in all modes)
 	if s.oauthHandler != nil {
 		s.oauthHandler.RegisterRoutes(mux)
@@ -465,6 +477,12 @@ func (s *Server) SetBuiltinToolsHandler(h *httpapi.BuiltinToolsHandler) {
 // SetOAuthHandler sets the OAuth handler (available in all modes).
 func (s *Server) SetOAuthHandler(h *httpapi.OAuthHandler) { s.oauthHandler = h }
 
+// SetAPIKeysHandler sets the API key management handler.
+func (s *Server) SetAPIKeysHandler(h *httpapi.APIKeysHandler) { s.apiKeysHandler = h }
+
+// SetAPIKeyStore sets the API key store for token-based auth lookup.
+func (s *Server) SetAPIKeyStore(st store.APIKeyStore) { s.apiKeyStore = st }
+
 // SetFilesHandler sets the workspace file serving handler.
 func (s *Server) SetFilesHandler(h *httpapi.FilesHandler) { s.filesHandler = h }
 
@@ -489,6 +507,9 @@ func (s *Server) SetActivityHandler(h *httpapi.ActivityHandler) { s.activityHand
 // SetUsageHandler sets the usage analytics handler.
 func (s *Server) SetUsageHandler(h *httpapi.UsageHandler) { s.usageHandler = h }
 
+// SetDocsHandler sets the OpenAPI spec + Swagger UI handler.
+func (s *Server) SetDocsHandler(h *httpapi.DocsHandler) { s.docsHandler = h }
+
 // SetAgentStore sets the agent store for context injection in tools_invoke.
 func (s *Server) SetAgentStore(as store.AgentStore) { s.agentStore = as }
 
diff --git a/internal/http/api_keys.go b/internal/http/api_keys.go
new file mode 100644
index 00000000..fc3c7171
--- /dev/null
+++ b/internal/http/api_keys.go
@@ -0,0 +1,184 @@
+package http
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/nextlevelbuilder/goclaw/internal/bus"
+	"github.com/nextlevelbuilder/goclaw/internal/crypto"
+	"github.com/nextlevelbuilder/goclaw/internal/i18n"
+	"github.com/nextlevelbuilder/goclaw/internal/permissions"
+	"github.com/nextlevelbuilder/goclaw/internal/store"
+	"github.com/nextlevelbuilder/goclaw/pkg/protocol"
+)
+
+// APIKeysHandler handles API key management endpoints.
+type APIKeysHandler struct {
+	apiKeys store.APIKeyStore
+	token   string          // gateway token for admin auth
+	msgBus  *bus.MessageBus // for cache invalidation events
+}
+
+// NewAPIKeysHandler creates a handler for API key management endpoints.
+func NewAPIKeysHandler(apiKeys store.APIKeyStore, token string, msgBus *bus.MessageBus) *APIKeysHandler {
+	return &APIKeysHandler{apiKeys: apiKeys, token: token, msgBus: msgBus}
+}
+
+// RegisterRoutes registers all API key management routes on the given mux.
+func (h *APIKeysHandler) RegisterRoutes(mux *http.ServeMux) {
+	mux.HandleFunc("GET /v1/api-keys", h.adminAuth(h.handleList))
+	mux.HandleFunc("POST /v1/api-keys", h.adminAuth(h.handleCreate))
+	mux.HandleFunc("POST /v1/api-keys/{id}/revoke", h.adminAuth(h.handleRevoke))
+}
+
+// adminAuth ensures the caller has admin access (gateway token or API key with admin scope).
+func (h *APIKeysHandler) adminAuth(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		locale := extractLocale(r)
+		bearer := extractBearerToken(r)
+
+		// Try gateway token first
+		if h.token != "" && tokenMatch(bearer, h.token) {
+			next(w, r)
+			return
+		}
+
+		// Try API key with admin scope
+		if key, role := resolveAPIKey(r.Context(), bearer, h.apiKeys); key != nil {
+			if role == permissions.RoleAdmin {
+				next(w, r)
+				return
+			}
+		}
+
+		// No auth configured = allow (backward compat)
+		if h.token == "" {
+			slog.Warn("security.api_keys_no_auth", "path", r.URL.Path, "remote", r.RemoteAddr)
+			next(w, r)
+			return
+		}
+
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": i18n.T(locale, i18n.MsgUnauthorized)})
+	}
+}
+
+func (h *APIKeysHandler) handleList(w http.ResponseWriter, r *http.Request) {
+	locale := extractLocale(r)
+	keys, err := h.apiKeys.List(r.Context())
+	if err != nil {
+		slog.Error("api_keys.list failed", "error", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": i18n.T(locale, i18n.MsgFailedToList, "API keys")})
+		return
+	}
+	if keys == nil {
+		keys = []store.APIKeyData{}
+	}
+	writeJSON(w, http.StatusOK, keys)
+}
+
+func (h *APIKeysHandler) handleCreate(w http.ResponseWriter, r *http.Request) {
+	locale := extractLocale(r)
+
+	var input struct {
+		Name      string   `json:"name"`
+		Scopes    []string `json:"scopes"`
+		ExpiresIn *int     `json:"expires_in"` // seconds; nil = never
+	}
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": i18n.T(locale, i18n.MsgInvalidJSON)})
+		return
+	}
+
+	if input.Name == "" {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": i18n.T(locale, i18n.MsgRequired, "name")})
+		return
+	}
+	if len(input.Scopes) == 0 {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": i18n.T(locale, i18n.MsgRequired, "scopes")})
+		return
+	}
+
+	// Validate scopes
+	for _, s := range input.Scopes {
+		if !permissions.ValidScope(s) {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": i18n.T(locale, i18n.MsgInvalidRequest, "invalid scope: "+s)})
+			return
+		}
+	}
+
+	raw, hash, prefix, err := crypto.GenerateAPIKey()
+	if err != nil {
+		slog.Error("api_keys.generate failed", "error", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": i18n.T(locale, i18n.MsgInternalError, "key generation")})
+		return
+	}
+
+	now := time.Now()
+	key := &store.APIKeyData{
+		ID:        store.GenNewID(),
+		Name:      input.Name,
+		Prefix:    prefix,
+		KeyHash:   hash,
+		Scopes:    input.Scopes,
+		CreatedBy: extractUserID(r),
+		CreatedAt: now,
+		UpdatedAt: now,
+	}
+
+	if input.ExpiresIn != nil && *input.ExpiresIn > 0 {
+		exp := now.Add(time.Duration(*input.ExpiresIn) * time.Second)
+		key.ExpiresAt = &exp
+	}
+
+	if err := h.apiKeys.Create(r.Context(), key); err != nil {
+		slog.Error("api_keys.create failed", "error", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": i18n.T(locale, i18n.MsgFailedToCreate, "API key", "internal error")})
+		return
+	}
+
+	h.emitCacheInvalidate("api_keys", key.ID.String())
+
+	// Return key with raw secret (shown only once)
+	writeJSON(w, http.StatusCreated, map[string]any{
+		"id":         key.ID,
+		"name":       key.Name,
+		"prefix":     key.Prefix,
+		"key":        raw, // shown only once!
+		"scopes":     key.Scopes,
+		"expires_at": key.ExpiresAt,
+		"created_at": key.CreatedAt,
+	})
+}
+
+func (h *APIKeysHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {
+	locale := extractLocale(r)
+	idStr := r.PathValue("id")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": i18n.T(locale, i18n.MsgInvalidID, "API key")})
+		return
+	}
+
+	if err := h.apiKeys.Revoke(r.Context(), id); err != nil {
+		slog.Error("api_keys.revoke failed", "error", err, "id", idStr)
+		writeJSON(w, http.StatusNotFound, map[string]string{"error": i18n.T(locale, i18n.MsgNotFound, "API key", idStr)})
+		return
+	}
+
+	h.emitCacheInvalidate("api_keys", idStr)
+	writeJSON(w, http.StatusOK, map[string]string{"status": "revoked"})
+}
+
+func (h *APIKeysHandler) emitCacheInvalidate(kind, key string) {
+	if h.msgBus == nil {
+		return
+	}
+	h.msgBus.Broadcast(bus.Event{
+		Name:    protocol.EventCacheInvalidate,
+		Payload: bus.CacheInvalidatePayload{Kind: kind, Key: key},
+	})
+}
diff --git a/internal/http/auth.go b/internal/http/auth.go
index a7a46b5b..70bfbed7 100644
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@@ -1,12 +1,15 @@
 package http
 
 import (
+	"context"
 	"crypto/subtle"
 	"log/slog"
 	"net/http"
 	"strings"
 
+	"github.com/nextlevelbuilder/goclaw/internal/crypto"
 	"github.com/nextlevelbuilder/goclaw/internal/i18n"
+	"github.com/nextlevelbuilder/goclaw/internal/permissions"
 	"github.com/nextlevelbuilder/goclaw/internal/store"
 )
 
@@ -68,6 +71,25 @@ func extractAgentID(r *http.Request, model string) string {
 	return "default"
 }
 
+// resolveAPIKey checks if the bearer token is a valid API key.
+// Returns the key data and derived role, or nil if not found/expired/revoked.
+func resolveAPIKey(ctx context.Context, token string, apiKeys store.APIKeyStore) (*store.APIKeyData, permissions.Role) {
+	if apiKeys == nil || token == "" {
+		return nil, ""
+	}
+	hash := crypto.HashAPIKey(token)
+	key, err := apiKeys.GetByHash(ctx, hash)
+	if err != nil || key == nil {
+		return nil, ""
+	}
+	scopes := make([]permissions.Scope, len(key.Scopes))
+	for i, s := range key.Scopes {
+		scopes[i] = permissions.Scope(s)
+	}
+	go apiKeys.TouchLastUsed(context.Background(), key.ID)
+	return key, permissions.RoleFromScopes(scopes)
+}
+
 // extractLocale parses the Accept-Language header and returns a supported locale.
 // Falls back to "en" if no supported language is found.
 func extractLocale(r *http.Request) string {
diff --git a/internal/http/openapi.go b/internal/http/openapi.go
new file mode 100644
index 00000000..4c07058f
--- /dev/null
+++ b/internal/http/openapi.go
@@ -0,0 +1,69 @@
+package http
+
+import (
+	_ "embed"
+	"net/http"
+)
+
+//go:embed openapi_spec.json
+var openapiSpec []byte
+
+// DocsHandler serves the OpenAPI spec and Swagger UI.
+type DocsHandler struct {
+	token string
+}
+
+// NewDocsHandler creates a handler for API documentation endpoints.
+func NewDocsHandler(token string) *DocsHandler {
+	return &DocsHandler{token: token}
+}
+
+// RegisterRoutes registers documentation routes on the given mux.
+func (h *DocsHandler) RegisterRoutes(mux *http.ServeMux) {
+	mux.HandleFunc("GET /v1/openapi.json", h.handleSpec)
+	mux.HandleFunc("GET /docs", h.handleSwaggerUI)
+	mux.HandleFunc("GET /docs/", h.handleSwaggerUI)
+}
+
+func (h *DocsHandler) handleSpec(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Write(openapiSpec)
+}
+
+func (h *DocsHandler) handleSwaggerUI(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Write([]byte(swaggerHTML))
+}
+
+const swaggerHTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>GoClaw API Documentation</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.18.2/swagger-ui.css">
+  <style>
+    html { box-sizing: border-box; overflow-y: scroll; }
+    *, *:before, *:after { box-sizing: inherit; }
+    body { margin: 0; background: #fafafa; }
+    .topbar { display: none; }
+  </style>
+</head>
+<body>
+  <div id="swagger-ui"></div>
+  <script src="https://unpkg.com/swagger-ui-dist@5.18.2/swagger-ui-bundle.js"></script>
+  <script>
+    SwaggerUIBundle({
+      url: "/v1/openapi.json",
+      dom_id: "#swagger-ui",
+      deepLinking: true,
+      presets: [SwaggerUIBundle.presets.apis, SwaggerUIBundle.SwaggerUIStandalonePreset],
+      layout: "BaseLayout",
+      defaultModelsExpandDepth: 2,
+      defaultModelExpandDepth: 2,
+      tryItOutEnabled: true,
+    });
+  </script>
+</body>
+</html>`
diff --git a/internal/http/openapi_spec.json b/internal/http/openapi_spec.json
new file mode 100644
index 00000000..b274709d
--- /dev/null
+++ b/internal/http/openapi_spec.json
@@ -0,0 +1,680 @@
+{
+  "openapi": "3.0.3",
+  "info": {
+    "title": "GoClaw Gateway API",
+    "description": "PostgreSQL multi-tenant AI agent gateway with WebSocket RPC + HTTP API.\n\n## Authentication\n\nAll endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer <gateway-token-or-api-key>\n```\n\nYou can use either the **gateway token** (grants admin access) or an **API key** created via the API Keys endpoints (grants scoped access).\n\nIf no token is configured on the server, authentication is disabled (backward compatibility).\n\n## Common Headers\n\n| Header | Description |\n|--------|-------------|\n| `X-GoClaw-User-Id` | External user ID for multi-tenant context |\n| `X-GoClaw-Agent-Id` | Target agent ID (alternative to model prefix) |\n| `Accept-Language` | Locale for error messages (`en`, `vi`, `zh`) |\n\n## WebSocket Protocol\n\nConnect via `POST /ws` (upgrade). Protocol v3 uses frame types: `req`, `res`, `event`.\nFirst request must be `connect` with `{\"token\": \"...\", \"user_id\": \"...\", \"locale\": \"en\"}`.",
+    "version": "0.2.0",
+    "contact": {
+      "name": "GoClaw",
+      "url": "https://github.com/nextlevelbuilder/goclaw"
+    }
+  },
+  "servers": [
+    {
+      "url": "/",
+      "description": "Current server"
+    }
+  ],
+  "tags": [
+    { "name": "Chat", "description": "OpenAI-compatible chat completions" },
+    { "name": "API Keys", "description": "Gateway API key management (admin only)" },
+    { "name": "Agents", "description": "Agent CRUD and configuration" },
+    { "name": "Sessions", "description": "Chat session management (via WebSocket RPC)" },
+    { "name": "Providers", "description": "LLM provider configuration" },
+    { "name": "Skills", "description": "Skill management and grants" },
+    { "name": "MCP Servers", "description": "MCP server configuration and grants" },
+    { "name": "Custom Tools", "description": "Custom tool definitions" },
+    { "name": "Built-in Tools", "description": "Built-in tool configuration" },
+    { "name": "Memory", "description": "Agent memory (pgvector) management" },
+    { "name": "Knowledge Graph", "description": "Entity knowledge graph" },
+    { "name": "Channels", "description": "Channel instance management" },
+    { "name": "Traces", "description": "LLM call tracing" },
+    { "name": "Usage", "description": "Usage analytics" },
+    { "name": "Activity", "description": "Audit activity log" },
+    { "name": "Storage", "description": "Workspace file management" },
+    { "name": "Media", "description": "Media upload and serving" },
+    { "name": "System", "description": "Health check and system info" }
+  ],
+  "security": [{ "bearerAuth": [] }],
+  "paths": {
+    "/health": {
+      "get": {
+        "tags": ["System"],
+        "summary": "Health check",
+        "security": [],
+        "responses": {
+          "200": {
+            "description": "Server health status",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "status": { "type": "string", "example": "ok" },
+                    "uptime_ms": { "type": "integer" },
+                    "mode": { "type": "string", "example": "managed" },
+                    "database": { "type": "string", "example": "ok" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/v1/chat/completions": {
+      "post": {
+        "tags": ["Chat"],
+        "summary": "OpenAI-compatible chat completions",
+        "description": "Send messages to an agent and get a response. Compatible with OpenAI's chat completions API.\n\nUse the `model` field to target a specific agent: `goclaw:<agent-id>` or `agent:<agent-id>`.",
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "required": ["messages"],
+                "properties": {
+                  "model": {
+                    "type": "string",
+                    "description": "Agent targeting: `goclaw:<id>` or `agent:<id>`. Defaults to `default`.",
+                    "example": "goclaw:default"
+                  },
+                  "messages": {
+                    "type": "array",
+                    "items": {
+                      "type": "object",
+                      "required": ["role", "content"],
+                      "properties": {
+                        "role": { "type": "string", "enum": ["system", "user", "assistant"] },
+                        "content": { "type": "string" }
+                      }
+                    }
+                  },
+                  "stream": { "type": "boolean", "default": false },
+                  "user": { "type": "string", "description": "External user ID" }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": { "description": "Chat completion response (or SSE stream if stream=true)" },
+          "401": { "$ref": "#/components/responses/Unauthorized" },
+          "429": { "description": "Rate limit exceeded" }
+        }
+      }
+    },
+    "/v1/api-keys": {
+      "get": {
+        "tags": ["API Keys"],
+        "summary": "List all API keys",
+        "description": "Returns all API keys (active and revoked). Key hashes are never included in responses. Requires admin access.",
+        "responses": {
+          "200": {
+            "description": "List of API keys",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": { "$ref": "#/components/schemas/ApiKey" }
+                }
+              }
+            }
+          },
+          "401": { "$ref": "#/components/responses/Unauthorized" }
+        }
+      },
+      "post": {
+        "tags": ["API Keys"],
+        "summary": "Create a new API key",
+        "description": "Creates a new API key with the specified scopes. The raw key is returned **only once** in the response — store it securely.\n\nAvailable scopes:\n- `operator.admin` — Full admin access\n- `operator.read` — Read-only access\n- `operator.write` — Read + write access\n- `operator.approvals` — Manage exec approvals\n- `operator.pairing` — Manage device pairing",
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "required": ["name", "scopes"],
+                "properties": {
+                  "name": { "type": "string", "example": "ci-deploy" },
+                  "scopes": {
+                    "type": "array",
+                    "items": { "type": "string", "enum": ["operator.admin", "operator.read", "operator.write", "operator.approvals", "operator.pairing"] },
+                    "example": ["operator.read", "operator.write"]
+                  },
+                  "expires_in": {
+                    "type": "integer",
+                    "description": "Expiry in seconds. Omit or 0 for never.",
+                    "example": 2592000
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "API key created. The `key` field is shown only once.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": { "type": "string", "format": "uuid" },
+                    "name": { "type": "string" },
+                    "prefix": { "type": "string", "example": "goclaw_a" },
+                    "key": { "type": "string", "description": "Raw API key (shown once)", "example": "goclaw_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" },
+                    "scopes": { "type": "array", "items": { "type": "string" } },
+                    "expires_at": { "type": "string", "format": "date-time", "nullable": true },
+                    "created_at": { "type": "string", "format": "date-time" }
+                  }
+                }
+              }
+            }
+          },
+          "400": { "$ref": "#/components/responses/BadRequest" },
+          "401": { "$ref": "#/components/responses/Unauthorized" }
+        }
+      }
+    },
+    "/v1/api-keys/{id}": {
+      "delete": {
+        "tags": ["API Keys"],
+        "summary": "Revoke an API key",
+        "description": "Revokes an API key. Revoked keys can no longer be used for authentication. This action cannot be undone.",
+        "parameters": [
+          { "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }
+        ],
+        "responses": {
+          "200": {
+            "description": "Key revoked",
+            "content": { "application/json": { "schema": { "type": "object", "properties": { "status": { "type": "string", "example": "revoked" } } } } }
+          },
+          "401": { "$ref": "#/components/responses/Unauthorized" },
+          "404": { "$ref": "#/components/responses/NotFound" }
+        }
+      }
+    },
+    "/v1/agents": {
+      "get": {
+        "tags": ["Agents"],
+        "summary": "List agents",
+        "description": "List all agents accessible to the current user. Owners see all agents.",
+        "parameters": [
+          { "name": "X-GoClaw-User-Id", "in": "header", "required": true, "schema": { "type": "string" } }
+        ],
+        "responses": {
+          "200": { "description": "Agent list" },
+          "401": { "$ref": "#/components/responses/Unauthorized" }
+        }
+      },
+      "post": {
+        "tags": ["Agents"],
+        "summary": "Create agent",
+        "description": "Create a new agent with the specified configuration.",
+        "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AgentInput" } } } },
+        "responses": {
+          "201": { "description": "Agent created" },
+          "400": { "$ref": "#/components/responses/BadRequest" },
+          "401": { "$ref": "#/components/responses/Unauthorized" }
+        }
+      }
+    },
+    "/v1/agents/{id}": {
+      "get": {
+        "tags": ["Agents"],
+        "summary": "Get agent",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Agent details" }, "404": { "$ref": "#/components/responses/NotFound" } }
+      },
+      "put": {
+        "tags": ["Agents"],
+        "summary": "Update agent",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AgentInput" } } } },
+        "responses": { "200": { "description": "Agent updated" }, "404": { "$ref": "#/components/responses/NotFound" } }
+      },
+      "delete": {
+        "tags": ["Agents"],
+        "summary": "Delete agent",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Agent deleted" }, "404": { "$ref": "#/components/responses/NotFound" } }
+      }
+    },
+    "/v1/agents/{id}/wake": {
+      "post": {
+        "tags": ["Agents"],
+        "summary": "Wake/trigger agent externally",
+        "description": "Trigger an agent run from an external webhook or automation.",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "message": { "type": "string" }, "user_id": { "type": "string" } } } } } },
+        "responses": { "200": { "description": "Agent triggered" } }
+      }
+    },
+    "/v1/providers": {
+      "get": {
+        "tags": ["Providers"],
+        "summary": "List LLM providers",
+        "responses": { "200": { "description": "Provider list (API keys masked)" } }
+      },
+      "post": {
+        "tags": ["Providers"],
+        "summary": "Create LLM provider",
+        "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ProviderInput" } } } },
+        "responses": { "201": { "description": "Provider created" } }
+      }
+    },
+    "/v1/providers/{id}": {
+      "get": {
+        "tags": ["Providers"],
+        "summary": "Get provider",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Provider details (API key masked)" } }
+      },
+      "put": {
+        "tags": ["Providers"],
+        "summary": "Update provider",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Provider updated" } }
+      },
+      "delete": {
+        "tags": ["Providers"],
+        "summary": "Delete provider",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Provider deleted" } }
+      }
+    },
+    "/v1/providers/{id}/models": {
+      "get": {
+        "tags": ["Providers"],
+        "summary": "List available models",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Model list" } }
+      }
+    },
+    "/v1/providers/{id}/verify": {
+      "post": {
+        "tags": ["Providers"],
+        "summary": "Verify provider connection",
+        "description": "Test provider connectivity with a minimal LLM call.",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "model": { "type": "string" } } } } } },
+        "responses": { "200": { "description": "Verification result", "content": { "application/json": { "schema": { "type": "object", "properties": { "valid": { "type": "boolean" }, "error": { "type": "string" } } } } } } }
+      }
+    },
+    "/v1/skills": {
+      "get": {
+        "tags": ["Skills"],
+        "summary": "List all skills",
+        "responses": { "200": { "description": "Skill list" } }
+      },
+      "post": {
+        "tags": ["Skills"],
+        "summary": "Upload skill",
+        "requestBody": { "content": { "multipart/form-data": {} } },
+        "responses": { "201": { "description": "Skill uploaded" } }
+      }
+    },
+    "/v1/skills/{id}": {
+      "get": {
+        "tags": ["Skills"],
+        "summary": "Get skill",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Skill details" } }
+      },
+      "put": {
+        "tags": ["Skills"],
+        "summary": "Update skill",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Skill updated" } }
+      },
+      "delete": {
+        "tags": ["Skills"],
+        "summary": "Delete skill",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Skill deleted" } }
+      }
+    },
+    "/v1/tools/custom": {
+      "get": {
+        "tags": ["Custom Tools"],
+        "summary": "List custom tools",
+        "responses": { "200": { "description": "Custom tool list" } }
+      },
+      "post": {
+        "tags": ["Custom Tools"],
+        "summary": "Create custom tool",
+        "responses": { "201": { "description": "Tool created" } }
+      }
+    },
+    "/v1/tools/custom/{id}": {
+      "get": {
+        "tags": ["Custom Tools"],
+        "summary": "Get custom tool",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Tool details" } }
+      },
+      "put": {
+        "tags": ["Custom Tools"],
+        "summary": "Update custom tool",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Tool updated" } }
+      },
+      "delete": {
+        "tags": ["Custom Tools"],
+        "summary": "Delete custom tool",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Tool deleted" } }
+      }
+    },
+    "/v1/tools/builtin": {
+      "get": {
+        "tags": ["Built-in Tools"],
+        "summary": "List built-in tools",
+        "responses": { "200": { "description": "Built-in tool list" } }
+      }
+    },
+    "/v1/tools/builtin/{name}": {
+      "get": {
+        "tags": ["Built-in Tools"],
+        "summary": "Get built-in tool",
+        "parameters": [{ "name": "name", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Tool details" } }
+      },
+      "put": {
+        "tags": ["Built-in Tools"],
+        "summary": "Update tool settings",
+        "parameters": [{ "name": "name", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Tool updated" } }
+      }
+    },
+    "/v1/mcp/servers": {
+      "get": {
+        "tags": ["MCP Servers"],
+        "summary": "List MCP servers",
+        "responses": { "200": { "description": "MCP server list" } }
+      },
+      "post": {
+        "tags": ["MCP Servers"],
+        "summary": "Create MCP server",
+        "responses": { "201": { "description": "Server created" } }
+      }
+    },
+    "/v1/mcp/servers/{id}": {
+      "get": {
+        "tags": ["MCP Servers"],
+        "summary": "Get MCP server",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Server details" } }
+      },
+      "put": {
+        "tags": ["MCP Servers"],
+        "summary": "Update MCP server",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Server updated" } }
+      },
+      "delete": {
+        "tags": ["MCP Servers"],
+        "summary": "Delete MCP server",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Server deleted" } }
+      }
+    },
+    "/v1/mcp/servers/{id}/tools": {
+      "get": {
+        "tags": ["MCP Servers"],
+        "summary": "List server tools",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Tool list" } }
+      }
+    },
+    "/v1/memory/documents": {
+      "get": {
+        "tags": ["Memory"],
+        "summary": "List all memory documents",
+        "responses": { "200": { "description": "Document list" } }
+      }
+    },
+    "/v1/agents/{agentID}/memory/search": {
+      "post": {
+        "tags": ["Memory"],
+        "summary": "Search agent memory",
+        "parameters": [{ "name": "agentID", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "query": { "type": "string" }, "limit": { "type": "integer", "default": 10 } } } } } },
+        "responses": { "200": { "description": "Search results" } }
+      }
+    },
+    "/v1/agents/{agentID}/kg/entities": {
+      "get": {
+        "tags": ["Knowledge Graph"],
+        "summary": "List KG entities",
+        "parameters": [{ "name": "agentID", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Entity list" } }
+      },
+      "post": {
+        "tags": ["Knowledge Graph"],
+        "summary": "Upsert KG entity",
+        "parameters": [{ "name": "agentID", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Entity upserted" } }
+      }
+    },
+    "/v1/agents/{agentID}/kg/traverse": {
+      "post": {
+        "tags": ["Knowledge Graph"],
+        "summary": "Traverse knowledge graph",
+        "parameters": [{ "name": "agentID", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Traversal results" } }
+      }
+    },
+    "/v1/channels/instances": {
+      "get": {
+        "tags": ["Channels"],
+        "summary": "List channel instances",
+        "responses": { "200": { "description": "Instance list" } }
+      },
+      "post": {
+        "tags": ["Channels"],
+        "summary": "Create channel instance",
+        "responses": { "201": { "description": "Instance created" } }
+      }
+    },
+    "/v1/channels/instances/{id}": {
+      "get": {
+        "tags": ["Channels"],
+        "summary": "Get channel instance",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Instance details" } }
+      },
+      "put": {
+        "tags": ["Channels"],
+        "summary": "Update channel instance",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Instance updated" } }
+      },
+      "delete": {
+        "tags": ["Channels"],
+        "summary": "Delete channel instance",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }],
+        "responses": { "200": { "description": "Instance deleted" } }
+      }
+    },
+    "/v1/contacts": {
+      "get": {
+        "tags": ["Channels"],
+        "summary": "List channel contacts",
+        "responses": { "200": { "description": "Contact list" } }
+      }
+    },
+    "/v1/traces": {
+      "get": {
+        "tags": ["Traces"],
+        "summary": "List LLM traces",
+        "parameters": [
+          { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 50 } },
+          { "name": "offset", "in": "query", "schema": { "type": "integer", "default": 0 } },
+          { "name": "agent_id", "in": "query", "schema": { "type": "string" } }
+        ],
+        "responses": { "200": { "description": "Trace list" } }
+      }
+    },
+    "/v1/traces/{traceID}": {
+      "get": {
+        "tags": ["Traces"],
+        "summary": "Get trace detail",
+        "parameters": [{ "name": "traceID", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Trace detail with messages" } }
+      }
+    },
+    "/v1/costs/summary": {
+      "get": {
+        "tags": ["Traces"],
+        "summary": "Get cost summary",
+        "responses": { "200": { "description": "Cost summary" } }
+      }
+    },
+    "/v1/usage/timeseries": {
+      "get": {
+        "tags": ["Usage"],
+        "summary": "Usage timeseries analytics",
+        "parameters": [
+          { "name": "period", "in": "query", "schema": { "type": "string", "enum": ["1h", "24h", "7d", "30d"] } }
+        ],
+        "responses": { "200": { "description": "Timeseries data" } }
+      }
+    },
+    "/v1/usage/summary": {
+      "get": {
+        "tags": ["Usage"],
+        "summary": "Usage summary",
+        "responses": { "200": { "description": "Usage summary" } }
+      }
+    },
+    "/v1/activity": {
+      "get": {
+        "tags": ["Activity"],
+        "summary": "List audit activity logs",
+        "parameters": [
+          { "name": "limit", "in": "query", "schema": { "type": "integer", "default": 50 } },
+          { "name": "offset", "in": "query", "schema": { "type": "integer", "default": 0 } }
+        ],
+        "responses": { "200": { "description": "Activity log entries" } }
+      }
+    },
+    "/v1/delegations": {
+      "get": {
+        "tags": ["Activity"],
+        "summary": "List delegation history",
+        "responses": { "200": { "description": "Delegation list" } }
+      }
+    },
+    "/v1/storage/files": {
+      "get": {
+        "tags": ["Storage"],
+        "summary": "List workspace files",
+        "parameters": [
+          { "name": "path", "in": "query", "schema": { "type": "string" }, "description": "Subdirectory path" }
+        ],
+        "responses": { "200": { "description": "File listing" } }
+      }
+    },
+    "/v1/media/upload": {
+      "post": {
+        "tags": ["Media"],
+        "summary": "Upload media file",
+        "requestBody": { "content": { "multipart/form-data": { "schema": { "type": "object", "properties": { "file": { "type": "string", "format": "binary" } } } } } },
+        "responses": { "200": { "description": "Upload result with temp path and MIME type" } }
+      }
+    },
+    "/v1/media/{id}": {
+      "get": {
+        "tags": ["Media"],
+        "summary": "Serve media by ID",
+        "parameters": [{ "name": "id", "in": "path", "required": true, "schema": { "type": "string" } }],
+        "responses": { "200": { "description": "Media file" } }
+      }
+    },
+    "/v1/pending-messages": {
+      "get": {
+        "tags": ["Channels"],
+        "summary": "List pending message groups",
+        "responses": { "200": { "description": "Message group list" } }
+      },
+      "delete": {
+        "tags": ["Channels"],
+        "summary": "Clear pending message group",
+        "responses": { "200": { "description": "Group cleared" } }
+      }
+    }
+  },
+  "components": {
+    "securitySchemes": {
+      "bearerAuth": {
+        "type": "http",
+        "scheme": "bearer",
+        "description": "Gateway token or API key"
+      }
+    },
+    "schemas": {
+      "ApiKey": {
+        "type": "object",
+        "properties": {
+          "id": { "type": "string", "format": "uuid" },
+          "name": { "type": "string" },
+          "prefix": { "type": "string", "description": "First 8 chars for identification" },
+          "scopes": { "type": "array", "items": { "type": "string" } },
+          "expires_at": { "type": "string", "format": "date-time", "nullable": true },
+          "last_used_at": { "type": "string", "format": "date-time", "nullable": true },
+          "revoked": { "type": "boolean" },
+          "created_by": { "type": "string" },
+          "created_at": { "type": "string", "format": "date-time" },
+          "updated_at": { "type": "string", "format": "date-time" }
+        }
+      },
+      "AgentInput": {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string", "description": "Unique agent slug" },
+          "display_name": { "type": "string" },
+          "agent_type": { "type": "string", "enum": ["open", "predefined"] },
+          "description": { "type": "string" },
+          "provider": { "type": "string", "description": "LLM provider name" },
+          "model": { "type": "string", "description": "Model ID" },
+          "system_prompt": { "type": "string" }
+        }
+      },
+      "ProviderInput": {
+        "type": "object",
+        "required": ["name", "provider_type"],
+        "properties": {
+          "name": { "type": "string", "description": "Unique provider slug" },
+          "display_name": { "type": "string" },
+          "provider_type": { "type": "string", "enum": ["anthropic_native", "openai_compat", "gemini_native", "groq", "deepseek", "mistral", "xai", "ollama"] },
+          "api_base": { "type": "string" },
+          "api_key": { "type": "string" },
+          "enabled": { "type": "boolean", "default": true }
+        }
+      },
+      "Error": {
+        "type": "object",
+        "properties": {
+          "error": { "type": "string" }
+        }
+      }
+    },
+    "responses": {
+      "Unauthorized": {
+        "description": "Authentication required or invalid token",
+        "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } }
+      },
+      "BadRequest": {
+        "description": "Invalid request parameters",
+        "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } }
+      },
+      "NotFound": {
+        "description": "Resource not found",
+        "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } }
+      }
+    }
+  }
+}
diff --git a/internal/permissions/policy.go b/internal/permissions/policy.go
index 2066d0b2..40bee011 100644
--- a/internal/permissions/policy.go
+++ b/internal/permissions/policy.go
@@ -39,6 +39,20 @@ const (
 	ScopePairing   Scope = "operator.pairing"
 )
 
+// AllScopes is the set of all valid API key scopes.
+var AllScopes = map[Scope]bool{
+	ScopeAdmin:     true,
+	ScopeRead:      true,
+	ScopeWrite:     true,
+	ScopeApprovals: true,
+	ScopePairing:   true,
+}
+
+// ValidScope reports whether s is a recognised API key scope.
+func ValidScope(s string) bool {
+	return AllScopes[Scope(s)]
+}
+
 // PolicyEngine evaluates user permissions for gateway method access.
 type PolicyEngine struct {
 	ownerIDs map[string]bool // sender IDs that are considered "owner"
@@ -159,6 +173,9 @@ func isAdminMethod(method string) bool {
 		protocol.MethodTeamsTaskGet,
 		protocol.MethodTeamsTaskComments,
 		protocol.MethodTeamsTaskEvents,
+		protocol.MethodAPIKeysList,
+		protocol.MethodAPIKeysCreate,
+		protocol.MethodAPIKeysRevoke,
 	}
 	return slices.Contains(adminMethods, method)
 }
diff --git a/internal/store/api_key_store.go b/internal/store/api_key_store.go
new file mode 100644
index 00000000..baaf08dc
--- /dev/null
+++ b/internal/store/api_key_store.go
@@ -0,0 +1,44 @@
+package store
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// APIKeyData represents a gateway API key with scoped permissions.
+type APIKeyData struct {
+	ID         uuid.UUID  `json:"id"`
+	Name       string     `json:"name"`
+	Prefix     string     `json:"prefix"`      // first 8 chars for display
+	KeyHash    string     `json:"-"`            // SHA-256 hex, never serialized
+	Scopes     []string   `json:"scopes"`       // e.g. ["operator.admin","operator.read"]
+	ExpiresAt  *time.Time `json:"expires_at"`   // nil = never
+	LastUsedAt *time.Time `json:"last_used_at"`
+	Revoked    bool       `json:"revoked"`
+	CreatedBy  string     `json:"created_by"`
+	CreatedAt  time.Time  `json:"created_at"`
+	UpdatedAt  time.Time  `json:"updated_at"`
+}
+
+// APIKeyStore manages gateway API keys.
+type APIKeyStore interface {
+	// Create inserts a new API key.
+	Create(ctx context.Context, key *APIKeyData) error
+
+	// GetByHash looks up an active (non-revoked, non-expired) key by its SHA-256 hash.
+	GetByHash(ctx context.Context, keyHash string) (*APIKeyData, error)
+
+	// List returns all API keys (for admin display; key hashes are not included).
+	List(ctx context.Context) ([]APIKeyData, error)
+
+	// Revoke marks a key as revoked.
+	Revoke(ctx context.Context, id uuid.UUID) error
+
+	// Delete permanently removes a key.
+	Delete(ctx context.Context, id uuid.UUID) error
+
+	// TouchLastUsed updates the last_used_at timestamp.
+	TouchLastUsed(ctx context.Context, id uuid.UUID) error
+}
diff --git a/internal/store/pg/api_keys.go b/internal/store/pg/api_keys.go
new file mode 100644
index 00000000..b81ee289
--- /dev/null
+++ b/internal/store/pg/api_keys.go
@@ -0,0 +1,124 @@
+package pg
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/lib/pq"
+
+	"github.com/nextlevelbuilder/goclaw/internal/store"
+)
+
+// PGAPIKeyStore implements store.APIKeyStore using PostgreSQL.
+type PGAPIKeyStore struct {
+	db *sql.DB
+}
+
+// NewPGAPIKeyStore creates a new PostgreSQL-backed API key store.
+func NewPGAPIKeyStore(db *sql.DB) *PGAPIKeyStore {
+	return &PGAPIKeyStore{db: db}
+}
+
+func (s *PGAPIKeyStore) Create(ctx context.Context, key *store.APIKeyData) error {
+	_, err := s.db.ExecContext(ctx,
+		`INSERT INTO api_keys (id, name, prefix, key_hash, scopes, expires_at, created_by, created_at, updated_at)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
+		key.ID, key.Name, key.Prefix, key.KeyHash, pq.Array(key.Scopes),
+		key.ExpiresAt, nilStr(key.CreatedBy), key.CreatedAt, key.UpdatedAt,
+	)
+	return err
+}
+
+func (s *PGAPIKeyStore) GetByHash(ctx context.Context, keyHash string) (*store.APIKeyData, error) {
+	row := s.db.QueryRowContext(ctx,
+		`SELECT id, name, prefix, key_hash, scopes, expires_at, last_used_at, revoked, created_by, created_at, updated_at
+		 FROM api_keys
+		 WHERE key_hash = $1 AND NOT revoked AND (expires_at IS NULL OR expires_at > now())`,
+		keyHash,
+	)
+
+	var k store.APIKeyData
+	var createdBy *string
+	err := row.Scan(
+		&k.ID, &k.Name, &k.Prefix, &k.KeyHash, pq.Array(&k.Scopes),
+		&k.ExpiresAt, &k.LastUsedAt, &k.Revoked, &createdBy,
+		&k.CreatedAt, &k.UpdatedAt,
+	)
+	if err != nil {
+		return nil, err
+	}
+	if createdBy != nil {
+		k.CreatedBy = *createdBy
+	}
+
+	return &k, nil
+}
+
+func (s *PGAPIKeyStore) List(ctx context.Context) ([]store.APIKeyData, error) {
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT id, name, prefix, scopes, expires_at, last_used_at, revoked, created_by, created_at, updated_at
+		 FROM api_keys
+		 ORDER BY created_at DESC`,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var keys []store.APIKeyData
+	for rows.Next() {
+		var k store.APIKeyData
+		var createdBy *string
+		if err := rows.Scan(
+			&k.ID, &k.Name, &k.Prefix, pq.Array(&k.Scopes),
+			&k.ExpiresAt, &k.LastUsedAt, &k.Revoked, &createdBy,
+			&k.CreatedAt, &k.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		if createdBy != nil {
+			k.CreatedBy = *createdBy
+		}
+		keys = append(keys, k)
+	}
+	return keys, rows.Err()
+}
+
+func (s *PGAPIKeyStore) Revoke(ctx context.Context, id uuid.UUID) error {
+	res, err := s.db.ExecContext(ctx,
+		`UPDATE api_keys SET revoked = true, updated_at = $2 WHERE id = $1`,
+		id, time.Now(),
+	)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
+func (s *PGAPIKeyStore) Delete(ctx context.Context, id uuid.UUID) error {
+	res, err := s.db.ExecContext(ctx,
+		`DELETE FROM api_keys WHERE id = $1`, id,
+	)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
+func (s *PGAPIKeyStore) TouchLastUsed(ctx context.Context, id uuid.UUID) error {
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE api_keys SET last_used_at = $2 WHERE id = $1`,
+		id, time.Now(),
+	)
+	return err
+}
diff --git a/internal/store/pg/factory.go b/internal/store/pg/factory.go
index 58b1ea0a..9c063e48 100644
--- a/internal/store/pg/factory.go
+++ b/internal/store/pg/factory.go
@@ -44,5 +44,6 @@ func NewPGStores(cfg store.StoreConfig) (*store.Stores, error) {
 		Contacts:         NewPGContactStore(db),
 		Activity:         NewPGActivityStore(db),
 		Snapshots:        NewPGSnapshotStore(db),
+		APIKeys:          NewPGAPIKeyStore(db),
 	}, nil
 }
diff --git a/internal/store/stores.go b/internal/store/stores.go
index f89abbe9..3a4074df 100644
--- a/internal/store/stores.go
+++ b/internal/store/stores.go
@@ -25,4 +25,5 @@ type Stores struct {
 	Contacts         ContactStore
 	Activity         ActivityStore
 	Snapshots        SnapshotStore
+	APIKeys          APIKeyStore
 }
diff --git a/internal/upgrade/version.go b/internal/upgrade/version.go
index b4e625e5..0e6b69fc 100644
--- a/internal/upgrade/version.go
+++ b/internal/upgrade/version.go
@@ -2,4 +2,4 @@ package upgrade
 
 // RequiredSchemaVersion is the schema migration version this binary requires.
 // Bump this whenever adding a new SQL migration file.
-const RequiredSchemaVersion uint = 18
+const RequiredSchemaVersion uint = 20
diff --git a/migrations/000020_api_keys.down.sql b/migrations/000020_api_keys.down.sql
new file mode 100644
index 00000000..3a3da99d
--- /dev/null
+++ b/migrations/000020_api_keys.down.sql
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS api_keys;
diff --git a/migrations/000020_api_keys.up.sql b/migrations/000020_api_keys.up.sql
new file mode 100644
index 00000000..3e3e36fc
--- /dev/null
+++ b/migrations/000020_api_keys.up.sql
@@ -0,0 +1,20 @@
+-- API key management: multiple keys with fine-grained scopes
+CREATE TABLE api_keys (
+    id            UUID PRIMARY KEY,
+    name          VARCHAR(100) NOT NULL,
+    prefix        VARCHAR(8)   NOT NULL,              -- first 8 chars for display identification
+    key_hash      VARCHAR(64)  NOT NULL UNIQUE,       -- SHA-256 hex digest
+    scopes        TEXT[]       NOT NULL DEFAULT '{}',  -- e.g. {'operator.admin','operator.read'}
+    expires_at    TIMESTAMPTZ,                         -- NULL = never expires
+    last_used_at  TIMESTAMPTZ,
+    revoked       BOOLEAN      NOT NULL DEFAULT false,
+    created_by    VARCHAR(255),                        -- user ID who created the key
+    created_at    TIMESTAMPTZ  NOT NULL DEFAULT now(),
+    updated_at    TIMESTAMPTZ  NOT NULL DEFAULT now()
+);
+
+-- Fast lookup by hash (only active keys)
+CREATE INDEX idx_api_keys_key_hash ON api_keys (key_hash) WHERE NOT revoked;
+
+-- Fast lookup by prefix (for display/search)
+CREATE INDEX idx_api_keys_prefix ON api_keys (prefix);
diff --git a/pkg/protocol/methods.go b/pkg/protocol/methods.go
index ecff9a0c..262d0f3e 100644
--- a/pkg/protocol/methods.go
+++ b/pkg/protocol/methods.go
@@ -135,6 +135,13 @@ const (
 	MethodDelegationsGet  = "delegations.get"
 )
 
+// API key management
+const (
+	MethodAPIKeysList   = "api_keys.list"
+	MethodAPIKeysCreate = "api_keys.create"
+	MethodAPIKeysRevoke = "api_keys.revoke"
+)
+
 // Phase 3+ - NICE TO HAVE methods
 const (
 	MethodLogsTail = "logs.tail"
diff --git a/ui/web/src/components/layout/sidebar-item.tsx b/ui/web/src/components/layout/sidebar-item.tsx
index e55ae50e..62714ed5 100644
--- a/ui/web/src/components/layout/sidebar-item.tsx
+++ b/ui/web/src/components/layout/sidebar-item.tsx
@@ -8,6 +8,7 @@ interface SidebarItemProps {
   label: string;
   badge?: number;
   collapsed?: boolean;
+  external?: boolean;
 }
 
 export function SidebarItem({
@@ -16,21 +17,20 @@ export function SidebarItem({
   label,
   badge,
   collapsed,
+  external,
 }: SidebarItemProps) {
   const location = useLocation();
-  const active = location.pathname === to || location.pathname.startsWith(to + "/");
+  const active = !external && (location.pathname === to || location.pathname.startsWith(to + "/"));
 
-  return (
-    <Link
-      to={to}
-      className={cn(
-        "flex items-center gap-3 rounded-md px-3 py-2 text-sm transition-colors",
-        "hover:bg-accent hover:text-accent-foreground",
-        active && "bg-accent text-accent-foreground font-medium",
-        collapsed && "justify-center px-2",
-      )}
-      title={collapsed ? label : undefined}
-    >
+  const className = cn(
+    "flex items-center gap-3 rounded-md px-3 py-2 text-sm transition-colors",
+    "hover:bg-accent hover:text-accent-foreground",
+    active && "bg-accent text-accent-foreground font-medium",
+    collapsed && "justify-center px-2",
+  );
+
+  const content = (
+    <>
       <Icon className="h-4 w-4 shrink-0" />
       {!collapsed && <span className="truncate">{label}</span>}
       {!collapsed && badge != null && badge > 0 && (
@@ -38,6 +38,30 @@ export function SidebarItem({
           {badge}
         </span>
       )}
+    </>
+  );
+
+  if (external) {
+    return (
+      <a
+        href={to}
+        target="_blank"
+        rel="noopener noreferrer"
+        className={className}
+        title={collapsed ? label : undefined}
+      >
+        {content}
+      </a>
+    );
+  }
+
+  return (
+    <Link
+      to={to}
+      className={className}
+      title={collapsed ? label : undefined}
+    >
+      {content}
     </Link>
   );
 }
diff --git a/ui/web/src/components/layout/sidebar.tsx b/ui/web/src/components/layout/sidebar.tsx
index 1d0f20cf..7c5e48c8 100644
--- a/ui/web/src/components/layout/sidebar.tsx
+++ b/ui/web/src/components/layout/sidebar.tsx
@@ -24,6 +24,8 @@ import {
   Brain,
   Network,
   Contact,
+  KeyRound,
+  FileText,
 } from "lucide-react";
 import { useTranslation } from "react-i18next";
 import { SidebarGroup } from "./sidebar-group";
@@ -111,8 +113,10 @@ export function Sidebar({ collapsed, onNavItemClick }: SidebarProps) {
 
         <SidebarGroup label={t("groups.system")} collapsed={collapsed}>
           <SidebarItem to={ROUTES.PROVIDERS} icon={Cpu} label={t("nav.providers")} collapsed={collapsed} />
+          <SidebarItem to={ROUTES.API_KEYS} icon={KeyRound} label={t("nav.apiKeys")} collapsed={collapsed} />
           <SidebarItem to={ROUTES.CONFIG} icon={Settings} label={t("nav.config")} collapsed={collapsed} />
           <SidebarItem to={ROUTES.APPROVALS} icon={ShieldCheck} label={t("nav.approvals")} collapsed={collapsed} />
+          <SidebarItem to="/docs" icon={FileText} label={t("nav.apiDocs")} collapsed={collapsed} external />
         </SidebarGroup>
       </nav>
 
diff --git a/ui/web/src/i18n/index.ts b/ui/web/src/i18n/index.ts
index 09c342d0..3527dc8d 100644
--- a/ui/web/src/i18n/index.ts
+++ b/ui/web/src/i18n/index.ts
@@ -32,6 +32,7 @@ import enStorage from "./locales/en/storage.json";
 import enPendingMessages from "./locales/en/pending-messages.json";
 import enContacts from "./locales/en/contacts.json";
 import enActivity from "./locales/en/activity.json";
+import enApiKeys from "./locales/en/api-keys.json";
 
 // --- VI namespaces ---
 import viCommon from "./locales/vi/common.json";
@@ -64,6 +65,7 @@ import viStorage from "./locales/vi/storage.json";
 import viPendingMessages from "./locales/vi/pending-messages.json";
 import viContacts from "./locales/vi/contacts.json";
 import viActivity from "./locales/vi/activity.json";
+import viApiKeys from "./locales/vi/api-keys.json";
 
 // --- ZH namespaces ---
 import zhCommon from "./locales/zh/common.json";
@@ -96,6 +98,7 @@ import zhStorage from "./locales/zh/storage.json";
 import zhPendingMessages from "./locales/zh/pending-messages.json";
 import zhContacts from "./locales/zh/contacts.json";
 import zhActivity from "./locales/zh/activity.json";
+import zhApiKeys from "./locales/zh/api-keys.json";
 
 const STORAGE_KEY = "goclaw:language";
 
@@ -113,7 +116,7 @@ const ns = [
   "agents", "teams", "sessions", "skills", "cron", "config",
   "channels", "providers", "traces", "events", "delegations",
   "usage", "approvals", "nodes", "logs", "tools", "mcp", "tts",
-  "setup", "memory", "storage", "pending-messages", "contacts", "activity",
+  "setup", "memory", "storage", "pending-messages", "contacts", "activity", "api-keys",
 ] as const;
 
 i18n.use(initReactI18next).init({
@@ -127,7 +130,7 @@ i18n.use(initReactI18next).init({
       approvals: enApprovals, nodes: enNodes, logs: enLogs, tools: enTools,
       mcp: enMcp, tts: enTts, setup: enSetup, memory: enMemory, storage: enStorage,
       "pending-messages": enPendingMessages,
-      contacts: enContacts, activity: enActivity,
+      contacts: enContacts, activity: enActivity, "api-keys": enApiKeys,
     },
     vi: {
       common: viCommon, sidebar: viSidebar, topbar: viTopbar, login: viLogin,
@@ -138,7 +141,7 @@ i18n.use(initReactI18next).init({
       approvals: viApprovals, nodes: viNodes, logs: viLogs, tools: viTools,
       mcp: viMcp, tts: viTts, setup: viSetup, memory: viMemory, storage: viStorage,
       "pending-messages": viPendingMessages,
-      contacts: viContacts, activity: viActivity,
+      contacts: viContacts, activity: viActivity, "api-keys": viApiKeys,
     },
     zh: {
       common: zhCommon, sidebar: zhSidebar, topbar: zhTopbar, login: zhLogin,
@@ -149,7 +152,7 @@ i18n.use(initReactI18next).init({
       approvals: zhApprovals, nodes: zhNodes, logs: zhLogs, tools: zhTools,
       mcp: zhMcp, tts: zhTts, setup: zhSetup, memory: zhMemory, storage: zhStorage,
       "pending-messages": zhPendingMessages,
-      contacts: zhContacts, activity: zhActivity,
+      contacts: zhContacts, activity: zhActivity, "api-keys": zhApiKeys,
     },
   },
   ns: [...ns],
diff --git a/ui/web/src/i18n/locales/en/api-keys.json b/ui/web/src/i18n/locales/en/api-keys.json
new file mode 100644
index 00000000..669ea6ab
--- /dev/null
+++ b/ui/web/src/i18n/locales/en/api-keys.json
@@ -0,0 +1,63 @@
+{
+  "title": "API Keys",
+  "description": "Manage gateway API keys with fine-grained permissions.",
+  "addKey": "Create API Key",
+  "searchPlaceholder": "Search keys...",
+  "emptyTitle": "No API keys",
+  "emptyDescription": "Create your first API key to authenticate with the gateway.",
+  "columns": {
+    "name": "Name",
+    "prefix": "Key",
+    "scopes": "Scopes",
+    "lastUsed": "Last Used",
+    "created": "Created",
+    "status": "Status",
+    "actions": "Actions"
+  },
+  "status": {
+    "active": "Active",
+    "revoked": "Revoked",
+    "expired": "Expired"
+  },
+  "form": {
+    "title": "Create API Key",
+    "name": "Name",
+    "namePlaceholder": "e.g. ci-deploy, dashboard-readonly",
+    "scopes": "Scopes",
+    "scopeDescriptions": {
+      "operator.admin": "Full admin access",
+      "operator.read": "Read-only access",
+      "operator.write": "Read + write access",
+      "operator.approvals": "Manage exec approvals",
+      "operator.pairing": "Manage device pairing"
+    },
+    "expiry": "Expiry",
+    "expiryOptions": {
+      "never": "Never",
+      "7d": "7 days",
+      "30d": "30 days",
+      "90d": "90 days"
+    },
+    "create": "Create",
+    "creating": "Creating..."
+  },
+  "created": {
+    "title": "API Key Created",
+    "description": "Copy this key now — it won't be shown again.",
+    "copied": "Copied!",
+    "copy": "Copy to clipboard",
+    "done": "Done"
+  },
+  "revoke": {
+    "title": "Revoke API Key",
+    "description": "Are you sure you want to revoke \"{{name}}\"? This cannot be undone.",
+    "confirmLabel": "Revoke"
+  },
+  "toast": {
+    "created": "API key created",
+    "revoked": "API key revoked",
+    "failedCreate": "Failed to create API key",
+    "failedRevoke": "Failed to revoke API key"
+  },
+  "never": "Never"
+}
diff --git a/ui/web/src/i18n/locales/en/sidebar.json b/ui/web/src/i18n/locales/en/sidebar.json
index 4d4da4f4..e4a454d5 100644
--- a/ui/web/src/i18n/locales/en/sidebar.json
+++ b/ui/web/src/i18n/locales/en/sidebar.json
@@ -35,6 +35,8 @@
     "approvals": "Approvals",
     "nodes": "Nodes",
     "tts": "TTS",
-    "activity": "Activity"
+    "activity": "Activity",
+    "apiKeys": "API Keys",
+    "apiDocs": "API Docs"
   }
 }
diff --git a/ui/web/src/i18n/locales/vi/api-keys.json b/ui/web/src/i18n/locales/vi/api-keys.json
new file mode 100644
index 00000000..306a6d1f
--- /dev/null
+++ b/ui/web/src/i18n/locales/vi/api-keys.json
@@ -0,0 +1,63 @@
+{
+  "title": "API Keys",
+  "description": "Quản lý khóa API gateway với phân quyền chi tiết.",
+  "addKey": "Tạo API Key",
+  "searchPlaceholder": "Tìm khóa...",
+  "emptyTitle": "Chưa có API key",
+  "emptyDescription": "Tạo API key đầu tiên để xác thực với gateway.",
+  "columns": {
+    "name": "Tên",
+    "prefix": "Khóa",
+    "scopes": "Phạm vi",
+    "lastUsed": "Lần dùng cuối",
+    "created": "Ngày tạo",
+    "status": "Trạng thái",
+    "actions": "Thao tác"
+  },
+  "status": {
+    "active": "Hoạt động",
+    "revoked": "Đã thu hồi",
+    "expired": "Hết hạn"
+  },
+  "form": {
+    "title": "Tạo API Key",
+    "name": "Tên",
+    "namePlaceholder": "vd. ci-deploy, dashboard-readonly",
+    "scopes": "Phạm vi quyền",
+    "scopeDescriptions": {
+      "operator.admin": "Toàn quyền quản trị",
+      "operator.read": "Chỉ đọc",
+      "operator.write": "Đọc + ghi",
+      "operator.approvals": "Quản lý phê duyệt",
+      "operator.pairing": "Quản lý ghép nối"
+    },
+    "expiry": "Hạn sử dụng",
+    "expiryOptions": {
+      "never": "Không giới hạn",
+      "7d": "7 ngày",
+      "30d": "30 ngày",
+      "90d": "90 ngày"
+    },
+    "create": "Tạo",
+    "creating": "Đang tạo..."
+  },
+  "created": {
+    "title": "Đã tạo API Key",
+    "description": "Sao chép khóa ngay — sẽ không hiển thị lại.",
+    "copied": "Đã sao chép!",
+    "copy": "Sao chép",
+    "done": "Xong"
+  },
+  "revoke": {
+    "title": "Thu hồi API Key",
+    "description": "Bạn chắc chắn muốn thu hồi \"{{name}}\"? Không thể hoàn tác.",
+    "confirmLabel": "Thu hồi"
+  },
+  "toast": {
+    "created": "Đã tạo API key",
+    "revoked": "Đã thu hồi API key",
+    "failedCreate": "Không thể tạo API key",
+    "failedRevoke": "Không thể thu hồi API key"
+  },
+  "never": "Không giới hạn"
+}
diff --git a/ui/web/src/i18n/locales/vi/sidebar.json b/ui/web/src/i18n/locales/vi/sidebar.json
index 67640d1f..d65c9136 100644
--- a/ui/web/src/i18n/locales/vi/sidebar.json
+++ b/ui/web/src/i18n/locales/vi/sidebar.json
@@ -35,6 +35,8 @@
     "approvals": "Phê duyệt",
     "nodes": "Nodes",
     "tts": "TTS",
-    "activity": "Hoạt động"
+    "activity": "Hoạt động",
+    "apiKeys": "API Keys",
+    "apiDocs": "Tài liệu API"
   }
 }
diff --git a/ui/web/src/i18n/locales/zh/api-keys.json b/ui/web/src/i18n/locales/zh/api-keys.json
new file mode 100644
index 00000000..eb5a0a3d
--- /dev/null
+++ b/ui/web/src/i18n/locales/zh/api-keys.json
@@ -0,0 +1,63 @@
+{
+  "title": "API 密钥",
+  "description": "管理网关 API 密钥及细粒度权限。",
+  "addKey": "创建 API 密钥",
+  "searchPlaceholder": "搜索密钥...",
+  "emptyTitle": "暂无 API 密钥",
+  "emptyDescription": "创建第一个 API 密钥以对网关进行身份验证。",
+  "columns": {
+    "name": "名称",
+    "prefix": "密钥",
+    "scopes": "权限范围",
+    "lastUsed": "最后使用",
+    "created": "创建时间",
+    "status": "状态",
+    "actions": "操作"
+  },
+  "status": {
+    "active": "活跃",
+    "revoked": "已撤销",
+    "expired": "已过期"
+  },
+  "form": {
+    "title": "创建 API 密钥",
+    "name": "名称",
+    "namePlaceholder": "例如 ci-deploy、dashboard-readonly",
+    "scopes": "权限范围",
+    "scopeDescriptions": {
+      "operator.admin": "完全管理员权限",
+      "operator.read": "只读权限",
+      "operator.write": "读写权限",
+      "operator.approvals": "管理执行审批",
+      "operator.pairing": "管理设备配对"
+    },
+    "expiry": "有效期",
+    "expiryOptions": {
+      "never": "永不过期",
+      "7d": "7 天",
+      "30d": "30 天",
+      "90d": "90 天"
+    },
+    "create": "创建",
+    "creating": "创建中..."
+  },
+  "created": {
+    "title": "API 密钥已创建",
+    "description": "请立即复制密钥 — 之后将不再显示。",
+    "copied": "已复制！",
+    "copy": "复制到剪贴板",
+    "done": "完成"
+  },
+  "revoke": {
+    "title": "撤销 API 密钥",
+    "description": "确定要撤销 \"{{name}}\" 吗？此操作不可撤销。",
+    "confirmLabel": "撤销"
+  },
+  "toast": {
+    "created": "API 密钥已创建",
+    "revoked": "API 密钥已撤销",
+    "failedCreate": "创建 API 密钥失败",
+    "failedRevoke": "撤销 API 密钥失败"
+  },
+  "never": "永不"
+}
diff --git a/ui/web/src/i18n/locales/zh/sidebar.json b/ui/web/src/i18n/locales/zh/sidebar.json
index f9224930..b9026a08 100644
--- a/ui/web/src/i18n/locales/zh/sidebar.json
+++ b/ui/web/src/i18n/locales/zh/sidebar.json
@@ -35,6 +35,8 @@
     "traces": "追踪",
     "tts": "TTS",
     "usage": "用量",
-    "activity": "活动日志"
+    "activity": "活动日志",
+    "apiKeys": "API 密钥",
+    "apiDocs": "API 文档"
   }
 }
diff --git a/ui/web/src/lib/constants.ts b/ui/web/src/lib/constants.ts
index 001b48ad..2d53788c 100644
--- a/ui/web/src/lib/constants.ts
+++ b/ui/web/src/lib/constants.ts
@@ -35,6 +35,7 @@ export const ROUTES = {
   MEMORY: "/memory",
   KNOWLEDGE_GRAPH: "/knowledge-graph",
   ACTIVITY: "/activity",
+  API_KEYS: "/api-keys",
   SETUP: "/setup",
 } as const;
 
diff --git a/ui/web/src/lib/query-keys.ts b/ui/web/src/lib/query-keys.ts
index bc6aec12..8c0b6c60 100644
--- a/ui/web/src/lib/query-keys.ts
+++ b/ui/web/src/lib/query-keys.ts
@@ -1,4 +1,7 @@
 export const queryKeys = {
+  apiKeys: {
+    all: ["apiKeys"] as const,
+  },
   providers: {
     all: ["providers"] as const,
     models: (providerId: string) => ["providers", providerId, "models"] as const,
diff --git a/ui/web/src/pages/api-keys/api-key-create-dialog.tsx b/ui/web/src/pages/api-keys/api-key-create-dialog.tsx
new file mode 100644
index 00000000..640bd259
--- /dev/null
+++ b/ui/web/src/pages/api-keys/api-key-create-dialog.tsx
@@ -0,0 +1,140 @@
+import { useState } from "react";
+import { useTranslation } from "react-i18next";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogFooter,
+  DialogDescription,
+} from "@/components/ui/dialog";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import type { ApiKeyCreateInput } from "@/types/api-key";
+
+const ALL_SCOPES = [
+  "operator.admin",
+  "operator.read",
+  "operator.write",
+  "operator.approvals",
+  "operator.pairing",
+] as const;
+
+const EXPIRY_OPTIONS = [
+  { value: "never", seconds: 0 },
+  { value: "7d", seconds: 7 * 86400 },
+  { value: "30d", seconds: 30 * 86400 },
+  { value: "90d", seconds: 90 * 86400 },
+] as const;
+
+interface Props {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  onCreate: (input: ApiKeyCreateInput) => Promise<void>;
+}
+
+export function ApiKeyCreateDialog({ open, onOpenChange, onCreate }: Props) {
+  const { t } = useTranslation("api-keys");
+  const [name, setName] = useState("");
+  const [scopes, setScopes] = useState<string[]>([]);
+  const [expiry, setExpiry] = useState("never");
+  const [saving, setSaving] = useState(false);
+
+  const toggleScope = (scope: string) => {
+    setScopes((prev) =>
+      prev.includes(scope) ? prev.filter((s) => s !== scope) : [...prev, scope],
+    );
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!name.trim() || scopes.length === 0) return;
+    setSaving(true);
+    try {
+      const expiryOption = EXPIRY_OPTIONS.find((o) => o.value === expiry);
+      await onCreate({
+        name: name.trim(),
+        scopes,
+        expires_in: expiryOption && expiryOption.seconds > 0 ? expiryOption.seconds : undefined,
+      });
+      // Reset form
+      setName("");
+      setScopes([]);
+      setExpiry("never");
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="max-sm:inset-0 max-sm:translate-x-0 max-sm:translate-y-0 sm:max-w-md">
+        <DialogHeader>
+          <DialogTitle>{t("form.title")}</DialogTitle>
+          <DialogDescription>{t("description")}</DialogDescription>
+        </DialogHeader>
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div className="space-y-2">
+            <Label htmlFor="key-name">{t("form.name")}</Label>
+            <Input
+              id="key-name"
+              value={name}
+              onChange={(e) => setName(e.target.value)}
+              placeholder={t("form.namePlaceholder")}
+              className="text-base md:text-sm"
+              required
+            />
+          </div>
+
+          <div className="space-y-2">
+            <Label>{t("form.scopes")}</Label>
+            <div className="space-y-2">
+              {ALL_SCOPES.map((scope) => (
+                <label key={scope} className="flex items-center gap-2 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={scopes.includes(scope)}
+                    onChange={() => toggleScope(scope)}
+                    className="h-4 w-4 rounded border-gray-300"
+                  />
+                  <span className="text-base md:text-sm">
+                    <span className="font-medium">{scope.replace("operator.", "")}</span>
+                    <span className="text-muted-foreground ml-1">
+                      — {t(`form.scopeDescriptions.${scope}`)}
+                    </span>
+                  </span>
+                </label>
+              ))}
+            </div>
+          </div>
+
+          <div className="space-y-2">
+            <Label htmlFor="key-expiry">{t("form.expiry")}</Label>
+            <select
+              id="key-expiry"
+              value={expiry}
+              onChange={(e) => setExpiry(e.target.value)}
+              className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-base md:text-sm shadow-sm"
+            >
+              {EXPIRY_OPTIONS.map((opt) => (
+                <option key={opt.value} value={opt.value}>
+                  {t(`form.expiryOptions.${opt.value}`)}
+                </option>
+              ))}
+            </select>
+          </div>
+
+          <DialogFooter>
+            <Button type="button" variant="outline" onClick={() => onOpenChange(false)}>
+              {t("created.done")}
+            </Button>
+            <Button type="submit" disabled={saving || !name.trim() || scopes.length === 0}>
+              {saving ? t("form.creating") : t("form.create")}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/ui/web/src/pages/api-keys/api-keys-page.tsx b/ui/web/src/pages/api-keys/api-keys-page.tsx
new file mode 100644
index 00000000..d02731c7
--- /dev/null
+++ b/ui/web/src/pages/api-keys/api-keys-page.tsx
@@ -0,0 +1,213 @@
+import { useState, useEffect } from "react";
+import { useTranslation } from "react-i18next";
+import { Plus, RefreshCw, Key, Ban, Copy, Check } from "lucide-react";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogDescription,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import { Badge } from "@/components/ui/badge";
+import { PageHeader } from "@/components/shared/page-header";
+import { EmptyState } from "@/components/shared/empty-state";
+import { SearchInput } from "@/components/shared/search-input";
+import { Pagination } from "@/components/shared/pagination";
+import { TableSkeleton } from "@/components/shared/loading-skeleton";
+import { ConfirmDeleteDialog } from "@/components/shared/confirm-delete-dialog";
+import { useMinLoading } from "@/hooks/use-min-loading";
+import { useDeferredLoading } from "@/hooks/use-deferred-loading";
+import { usePagination } from "@/hooks/use-pagination";
+import { useApiKeys } from "./hooks/use-api-keys";
+import { ApiKeyCreateDialog } from "./api-key-create-dialog";
+import type { ApiKeyData } from "@/types/api-key";
+
+function formatDate(iso: string | null): string {
+  if (!iso) return "—";
+  return new Date(iso).toLocaleDateString(undefined, {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+  });
+}
+
+function keyStatus(key: ApiKeyData, t: (k: string) => string): { label: string; variant: "default" | "secondary" | "destructive" } {
+  if (key.revoked) return { label: t("status.revoked"), variant: "destructive" };
+  if (key.expires_at && new Date(key.expires_at) < new Date()) return { label: t("status.expired"), variant: "secondary" };
+  return { label: t("status.active"), variant: "default" };
+}
+
+export function ApiKeysPage() {
+  const { t } = useTranslation("api-keys");
+  const { t: tc } = useTranslation("common");
+  const { apiKeys, loading, refresh, createApiKey, revokeApiKey } = useApiKeys();
+
+  const spinning = useMinLoading(loading);
+  const showSkeleton = useDeferredLoading(loading && apiKeys.length === 0);
+  const [search, setSearch] = useState("");
+  const [createOpen, setCreateOpen] = useState(false);
+  const [revokeTarget, setRevokeTarget] = useState<ApiKeyData | null>(null);
+  const [revokeLoading, setRevokeLoading] = useState(false);
+  const [newKeyRaw, setNewKeyRaw] = useState<string | null>(null);
+  const [copied, setCopied] = useState(false);
+
+  const filtered = apiKeys.filter(
+    (k) => k.name.toLowerCase().includes(search.toLowerCase()) || k.prefix.includes(search),
+  );
+
+  const { pageItems, pagination, setPage, setPageSize, resetPage } = usePagination(filtered);
+
+  useEffect(() => { resetPage(); }, [search, resetPage]);
+
+  const handleRevoke = async () => {
+    if (!revokeTarget) return;
+    setRevokeLoading(true);
+    try {
+      await revokeApiKey(revokeTarget.id);
+      setRevokeTarget(null);
+    } finally {
+      setRevokeLoading(false);
+    }
+  };
+
+  const handleCopy = async () => {
+    if (!newKeyRaw) return;
+    await navigator.clipboard.writeText(newKeyRaw);
+    setCopied(true);
+    setTimeout(() => setCopied(false), 2000);
+  };
+
+  return (
+    <div className="p-4 sm:p-6">
+      <PageHeader
+        title={t("title")}
+        description={t("description")}
+        actions={
+          <div className="flex gap-2">
+            <Button size="sm" onClick={() => setCreateOpen(true)} className="gap-1">
+              <Plus className="h-3.5 w-3.5" /> {t("addKey")}
+            </Button>
+            <Button variant="outline" size="sm" onClick={refresh} disabled={spinning} className="gap-1">
+              <RefreshCw className={spinning ? "animate-spin h-3.5 w-3.5" : "h-3.5 w-3.5"} /> {tc("refresh")}
+            </Button>
+          </div>
+        }
+      />
+
+      <div className="mt-4">
+        <SearchInput value={search} onChange={setSearch} placeholder={t("searchPlaceholder")} className="max-w-sm" />
+      </div>
+
+      <div className="mt-4">
+        {showSkeleton ? (
+          <TableSkeleton rows={5} />
+        ) : filtered.length === 0 ? (
+          <EmptyState icon={Key} title={t("emptyTitle")} description={t("emptyDescription")} />
+        ) : (
+          <>
+            <div className="rounded-md border overflow-x-auto">
+              <table className="w-full min-w-[700px] text-base md:text-sm">
+                <thead>
+                  <tr className="border-b bg-muted/50">
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.name")}</th>
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.prefix")}</th>
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.scopes")}</th>
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.lastUsed")}</th>
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.created")}</th>
+                    <th className="px-4 py-2 text-left font-medium">{t("columns.status")}</th>
+                    <th className="px-4 py-2 text-right font-medium">{t("columns.actions")}</th>
+                  </tr>
+                </thead>
+                <tbody>
+                  {pageItems.map((key) => {
+                    const status = keyStatus(key, t);
+                    return (
+                      <tr key={key.id} className="border-b last:border-0 hover:bg-muted/30">
+                        <td className="px-4 py-2 font-medium">{key.name}</td>
+                        <td className="px-4 py-2">
+                          <code className="rounded bg-muted px-1.5 py-0.5 text-xs">{key.prefix}...***</code>
+                        </td>
+                        <td className="px-4 py-2">
+                          <div className="flex flex-wrap gap-1">
+                            {key.scopes.map((s) => (
+                              <Badge key={s} variant="outline" className="text-xs">
+                                {s.replace("operator.", "")}
+                              </Badge>
+                            ))}
+                          </div>
+                        </td>
+                        <td className="px-4 py-2 text-muted-foreground">{formatDate(key.last_used_at)}</td>
+                        <td className="px-4 py-2 text-muted-foreground">{formatDate(key.created_at)}</td>
+                        <td className="px-4 py-2">
+                          <Badge variant={status.variant}>{status.label}</Badge>
+                        </td>
+                        <td className="px-4 py-2 text-right">
+                          {!key.revoked && (
+                            <Button
+                              variant="ghost"
+                              size="sm"
+                              onClick={() => setRevokeTarget(key)}
+                              className="gap-1 text-destructive hover:text-destructive"
+                            >
+                              <Ban className="h-3.5 w-3.5" />
+                            </Button>
+                          )}
+                        </td>
+                      </tr>
+                    );
+                  })}
+                </tbody>
+              </table>
+            </div>
+            <Pagination {...pagination} onPageChange={setPage} onPageSizeChange={setPageSize} />
+          </>
+        )}
+      </div>
+
+      <ApiKeyCreateDialog
+        open={createOpen}
+        onOpenChange={setCreateOpen}
+        onCreate={async (input) => {
+          const res = await createApiKey(input);
+          setCreateOpen(false);
+          setNewKeyRaw(res.key);
+        }}
+      />
+
+      {/* Show-once key dialog */}
+      <Dialog open={!!newKeyRaw} onOpenChange={(open) => !open && setNewKeyRaw(null)}>
+        <DialogContent className="max-sm:inset-0 max-sm:translate-x-0 max-sm:translate-y-0 sm:max-w-md">
+          <DialogHeader>
+            <DialogTitle>{t("created.title")}</DialogTitle>
+            <DialogDescription>{t("created.description")}</DialogDescription>
+          </DialogHeader>
+          <div className="flex items-center gap-2">
+            <code className="flex-1 overflow-x-auto rounded bg-muted px-3 py-2 text-base md:text-sm font-mono break-all">
+              {newKeyRaw}
+            </code>
+            <Button variant="outline" size="sm" onClick={handleCopy} className="gap-1 shrink-0">
+              {copied ? <Check className="h-3.5 w-3.5" /> : <Copy className="h-3.5 w-3.5" />}
+              {copied ? t("created.copied") : t("created.copy")}
+            </Button>
+          </div>
+          <DialogFooter>
+            <Button onClick={() => setNewKeyRaw(null)}>{t("created.done")}</Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      <ConfirmDeleteDialog
+        open={!!revokeTarget}
+        onOpenChange={(v) => !v && setRevokeTarget(null)}
+        title={t("revoke.title")}
+        description={t("revoke.description", { name: revokeTarget?.name })}
+        confirmValue={revokeTarget?.name || ""}
+        confirmLabel={t("revoke.confirmLabel")}
+        onConfirm={handleRevoke}
+        loading={revokeLoading}
+      />
+    </div>
+  );
+}
diff --git a/ui/web/src/pages/api-keys/hooks/use-api-keys.ts b/ui/web/src/pages/api-keys/hooks/use-api-keys.ts
new file mode 100644
index 00000000..4f3e8e8c
--- /dev/null
+++ b/ui/web/src/pages/api-keys/hooks/use-api-keys.ts
@@ -0,0 +1,54 @@
+import { useCallback } from "react";
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import i18next from "i18next";
+import { useHttp } from "@/hooks/use-ws";
+import { queryKeys } from "@/lib/query-keys";
+import { toast } from "@/stores/use-toast-store";
+import type { ApiKeyData, ApiKeyCreateInput, ApiKeyCreateResponse } from "@/types/api-key";
+
+export function useApiKeys() {
+  const http = useHttp();
+  const queryClient = useQueryClient();
+
+  const { data: apiKeys = [], isLoading: loading } = useQuery({
+    queryKey: queryKeys.apiKeys.all,
+    queryFn: () => http.get<ApiKeyData[]>("/v1/api-keys"),
+    staleTime: 60_000,
+  });
+
+  const invalidate = useCallback(
+    () => queryClient.invalidateQueries({ queryKey: queryKeys.apiKeys.all }),
+    [queryClient],
+  );
+
+  const createApiKey = useCallback(
+    async (data: ApiKeyCreateInput): Promise<ApiKeyCreateResponse> => {
+      try {
+        const res = await http.post<ApiKeyCreateResponse>("/v1/api-keys", data);
+        await invalidate();
+        toast.success(i18next.t("api-keys:toast.created"));
+        return res;
+      } catch (err) {
+        toast.error(i18next.t("api-keys:toast.failedCreate"), err instanceof Error ? err.message : "");
+        throw err;
+      }
+    },
+    [http, invalidate],
+  );
+
+  const revokeApiKey = useCallback(
+    async (id: string) => {
+      try {
+        await http.post(`/v1/api-keys/${id}/revoke`, {});
+        await invalidate();
+        toast.success(i18next.t("api-keys:toast.revoked"));
+      } catch (err) {
+        toast.error(i18next.t("api-keys:toast.failedRevoke"), err instanceof Error ? err.message : "");
+        throw err;
+      }
+    },
+    [http, invalidate],
+  );
+
+  return { apiKeys, loading, refresh: invalidate, createApiKey, revokeApiKey };
+}
diff --git a/ui/web/src/routes.tsx b/ui/web/src/routes.tsx
index 9ed4a758..a74bd714 100644
--- a/ui/web/src/routes.tsx
+++ b/ui/web/src/routes.tsx
@@ -90,6 +90,9 @@ const ContactsPage = lazy(() =>
 const ActivityPage = lazy(() =>
   import("@/pages/activity/activity-page").then((m) => ({ default: m.ActivityPage })),
 );
+const ApiKeysPage = lazy(() =>
+  import("@/pages/api-keys/api-keys-page").then((m) => ({ default: m.ApiKeysPage })),
+);
 
 function PageLoader() {
   return (
@@ -161,6 +164,7 @@ export function AppRoutes() {
           <Route path={ROUTES.PENDING_MESSAGES} element={<PendingMessagesPage />} />
           <Route path={ROUTES.MEMORY} element={<MemoryPage />} />
           <Route path={ROUTES.KNOWLEDGE_GRAPH} element={<KnowledgeGraphPage />} />
+          <Route path={ROUTES.API_KEYS} element={<ApiKeysPage />} />
         </Route>
 
         {/* Catch-all → overview */}
diff --git a/ui/web/src/types/api-key.ts b/ui/web/src/types/api-key.ts
new file mode 100644
index 00000000..664a19c6
--- /dev/null
+++ b/ui/web/src/types/api-key.ts
@@ -0,0 +1,22 @@
+export interface ApiKeyData {
+  id: string;
+  name: string;
+  prefix: string;
+  scopes: string[];
+  expires_at: string | null;
+  last_used_at: string | null;
+  revoked: boolean;
+  created_by: string;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface ApiKeyCreateInput {
+  name: string;
+  scopes: string[];
+  expires_in?: number; // seconds; undefined = never
+}
+
+export interface ApiKeyCreateResponse extends ApiKeyData {
+  key: string; // raw key, shown only once
+}