@geolonia/geonicdb-cli 0.4.1 → 0.6.0

package/README.md

@@ -118,10 +118,28 @@ geonic help [<command>] [<subcommand>]
 |---|---|
 | `auth login` | Authenticate and save token |
 | `auth logout` | Clear saved authentication token |
+| `auth nonce` | Get a nonce and PoW challenge for API key authentication |
+| `auth token-exchange` | Exchange API key for a session JWT via nonce + PoW |
 
 The `auth login` command reads `GDB_EMAIL` and `GDB_PASSWORD` environment variables. It also supports OAuth Client Credentials flow with `--client-id` and `--client-secret`.
 
-### me — Display current user
+#### API Key Token Exchange
+
+`auth token-exchange` performs a complete API key to JWT exchange:
+
+1. Requests a nonce from the server (`POST /auth/nonce`)
+2. Solves the Proof-of-Work challenge (SHA-256)
+3. Exchanges the API key + solved PoW for a session JWT (`POST /oauth/token`)
+
+```bash
+# Exchange API key for JWT and save to config
+geonic auth token-exchange --api-key gdb_abcdef... --save
+
+# Just display the token without saving
+geonic auth token-exchange --api-key gdb_abcdef...
+```
+
+### me — Current user and self-service resources
 
 ```bash
 geonic me
@@ -129,6 +147,44 @@ geonic me
 
 Displays the current authenticated user, token expiry, and active profile.
 
+#### me oauth-clients
+
+| Subcommand | Description |
+|---|---|
+| `me oauth-clients list` | List your OAuth clients |
+| `me oauth-clients create [json]` | Create a new OAuth client |
+| `me oauth-clients delete <id>` | Delete an OAuth client |
+
+#### me api-keys
+
+| Subcommand | Description |
+|---|---|
+| `me api-keys list` | List your API keys |
+| `me api-keys create [json]` | Create a new API key |
+| `me api-keys delete <keyId>` | Delete an API key |
+
+`me api-keys create` supports flag options:
+
+| Flag | Description |
+|---|---|
+| `--name <name>` | Key name |
+| `--scopes <scopes>` | Allowed scopes (comma-separated) |
+| `--origins <origins>` | Allowed origins (comma-separated, at least 1 required) |
+| `--entity-types <types>` | Allowed entity types (comma-separated) |
+| `--rate-limit <n>` | Rate limit (requests per minute) |
+| `--dpop-required` | Require DPoP token binding (RFC 9449) |
+| `--save` | Save the API key to profile config |
+
+```bash
+# Create an API key and save to config
+geonic me api-keys create --name my-app --scopes read:entities --save
+
+# Create from JSON
+geonic me api-keys create '{"name":"my-app","allowedScopes":["read:entities"]}'
+```
+
+`me api-keys list` output includes a `dpopRequired` field (boolean).
+
 ### entities — Manage context entities
 
 | Subcommand | Description |
@@ -306,6 +362,20 @@ Temporal entityOperations query supports: `--aggr-methods`, `--aggr-period`.
 | `admin oauth-clients update <id> [json]` | Update an OAuth client |
 | `admin oauth-clients delete <id>` | Delete an OAuth client |
 
+#### admin api-keys
+
+| Subcommand | Description |
+|---|---|
+| `admin api-keys list` | List all API keys |
+| `admin api-keys get <keyId>` | Get an API key by ID |
+| `admin api-keys create [json]` | Create a new API key |
+| `admin api-keys update <keyId> [json]` | Update an API key |
+| `admin api-keys delete <keyId>` | Delete an API key |
+
+`admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required`, `--tenant-id`, `--save`. `admin api-keys update` supports `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required` / `--no-dpop-required`.
+
+**Note**: `allowedOrigins` must contain at least 1 item when specified. Use `*` to allow all origins. `allowedEntityTypes` is enforced at runtime — API key holders can only access entities of the specified types. `admin api-keys list` / `admin api-keys get` output includes a `dpopRequired` field (boolean).
+
 #### admin cadde
 
 | Subcommand | Description |
@@ -435,6 +505,31 @@ Override the config directory with the `GEONIC_CONFIG_DIR` environment variable:
 GEONIC_CONFIG_DIR=/path/to/config geonic entities list
 ```
 
+## API Key Authentication
+
+API keys provide an alternative to JWT tokens for authentication. When configured, requests include the `X-Api-Key` header.
+
+```bash
+# Set API key in config
+geonic config set api-key gdb_your_api_key_here
+
+# Or pass via CLI flag
+geonic entities list --api-key gdb_your_api_key_here
+
+# Or use environment variable
+GDB_API_KEY=gdb_your_api_key_here geonic entities list
+```
+
+When both a Bearer token and an API key are configured, both headers are sent (the server determines precedence).
+
+### Valid Scopes
+
+`read:entities`, `write:entities`, `read:subscriptions`, `write:subscriptions`, `read:registrations`, `write:registrations`
+
+### Entity Type Restrictions
+
+API keys with `allowedEntityTypes` are restricted to the specified entity types at runtime. Attempting to access entities of other types results in a 403 error with a descriptive message.
+
 ## Development
 
 Requires Node.js >= 20.

package/dist/index.js

@@ -602,6 +602,7 @@ function registerConfigCommand(program2) {
 }
 
 // src/commands/auth.ts
+import { createHash } from "crypto";
 import { Command } from "commander";
 
 // src/oauth.ts
@@ -673,7 +674,7 @@ var GdbClient = class _GdbClient {
     if (this.token) {
       headers["Authorization"] = `Bearer ${this.token}`;
     } else if (this.apiKey) {
-      headers["Authorization"] = `Bearer ${this.apiKey}`;
+      headers["X-Api-Key"] = this.apiKey;
     }
     if (extra) {
       Object.assign(headers, extra);
@@ -694,13 +695,15 @@ var GdbClient = class _GdbClient {
   getBasePath() {
     return "/ngsi-ld/v1";
   }
-  static SENSITIVE_HEADERS = /* @__PURE__ */ new Set(["authorization"]);
+  static SENSITIVE_HEADERS = /* @__PURE__ */ new Set(["authorization", "x-api-key"]);
   static SENSITIVE_BODY_KEYS = /* @__PURE__ */ new Set([
     "password",
     "refreshToken",
     "token",
     "client_secret",
-    "clientSecret"
+    "clientSecret",
+    "key",
+    "apiKey"
   ]);
   logRequest(method, url, headers, body) {
     if (!this.verbose) return;
@@ -983,6 +986,13 @@ function withErrorHandler(fn) {
       }
       if (err instanceof GdbClientError && err.status === 401) {
         printError("Authentication failed. Please run `geonic login` to re-authenticate.");
+      } else if (err instanceof GdbClientError && err.status === 403) {
+        const detail = (err.ngsiError?.detail ?? err.ngsiError?.description ?? "").toLowerCase();
+        if (detail.includes("entity type") || detail.includes("allowedentitytypes")) {
+          printError(`Entity type restriction: ${err.message}`);
+        } else {
+          printError(err.message);
+        }
       } else if (err instanceof Error) {
         printError(err.message);
       } else {
@@ -1343,6 +1353,131 @@ function addMeOAuthClientsSubcommand(me) {
   ]);
 }
 
+// src/commands/me-api-keys.ts
+function addMeApiKeysSubcommand(me) {
+  const apiKeys = me.command("api-keys").description("Manage your API keys");
+  const list = apiKeys.command("list").description("List your API keys").action(
+    withErrorHandler(async (_opts, cmd) => {
+      const client = createClient(cmd);
+      const format = getFormat(cmd);
+      const response = await client.rawRequest("GET", "/me/api-keys");
+      outputResponse(response, format);
+    })
+  );
+  addExamples(list, [
+    {
+      description: "List your API keys",
+      command: "geonic me api-keys list"
+    }
+  ]);
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Allowed scopes (comma-separated)").option("--origins <origins>", "Allowed origins (comma-separated)").option("--entity-types <types>", "Allowed entity types (comma-separated)").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--save", "Save the API key to config for automatic use").action(
+    withErrorHandler(async (json, _opts, cmd) => {
+      const opts = cmd.opts();
+      if (opts.origins !== void 0) {
+        const parsed = opts.origins.split(",").map((s) => s.trim()).filter(Boolean);
+        if (parsed.length === 0) {
+          printError("allowedOrigins must contain at least 1 item. Use '*' to allow all origins.");
+          process.exit(1);
+        }
+      }
+      let body;
+      if (json) {
+        body = await parseJsonInput(json);
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
+        const payload = {};
+        if (opts.name) payload.name = opts.name;
+        if (opts.scopes) payload.allowedScopes = opts.scopes.split(",").map((s) => s.trim()).filter(Boolean);
+        if (opts.origins) payload.allowedOrigins = opts.origins.split(",").map((s) => s.trim()).filter(Boolean);
+        if (opts.entityTypes) payload.allowedEntityTypes = opts.entityTypes.split(",").map((s) => s.trim()).filter(Boolean);
+        if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
+        if (opts.rateLimit) {
+          const raw = opts.rateLimit.trim();
+          if (!/^\d+$/.test(raw)) {
+            printError("--rate-limit must be a positive integer.");
+            process.exit(1);
+          }
+          const perMinute = Number(raw);
+          if (perMinute <= 0) {
+            printError("--rate-limit must be a positive integer.");
+            process.exit(1);
+          }
+          payload.rateLimit = { perMinute };
+        }
+        body = payload;
+      } else {
+        body = await parseJsonInput();
+      }
+      if (body && typeof body === "object" && "allowedOrigins" in body) {
+        const origins = body.allowedOrigins;
+        if (Array.isArray(origins) && origins.filter((o) => typeof o === "string" && o.trim() !== "").length === 0) {
+          printError("allowedOrigins must contain at least 1 item. Use '*' to allow all origins.");
+          process.exit(1);
+        }
+      }
+      const client = createClient(cmd);
+      const format = getFormat(cmd);
+      const response = await client.rawRequest("POST", "/me/api-keys", { body });
+      const data = response.data;
+      if (opts.save) {
+        const globalOpts = resolveOptions(cmd);
+        const key = data.key;
+        if (!key) {
+          printError("Response missing key. API key was created, but it could not be saved.");
+          outputResponse(response, format);
+          process.exitCode = 1;
+          return;
+        }
+        const config = loadConfig(globalOpts.profile);
+        config.apiKey = key;
+        saveConfig(config, globalOpts.profile);
+        console.error("API key saved to config. X-Api-Key header will be sent automatically.");
+      } else {
+        printWarning("Save the API key now \u2014 it will not be shown again. Use --save to store it automatically.");
+      }
+      outputResponse(response, format);
+      console.error("API key created.");
+    })
+  );
+  addExamples(create, [
+    {
+      description: "Create an API key with flags",
+      command: "geonic me api-keys create --name my-app --scopes read:entities --origins 'https://example.com'"
+    },
+    {
+      description: "Create and save API key to config",
+      command: "geonic me api-keys create --name my-app --save"
+    },
+    {
+      description: "Create an API key from JSON",
+      command: `geonic me api-keys create '{"name":"my-app","allowedScopes":["read:entities"]}'`
+    },
+    {
+      description: "Create an API key with rate limiting",
+      command: "geonic me api-keys create --name my-app --rate-limit 100"
+    },
+    {
+      description: "Create an API key with DPoP required",
+      command: "geonic me api-keys create --name my-app --dpop-required"
+    }
+  ]);
+  const del = apiKeys.command("delete <keyId>").description("Delete an API key").action(
+    withErrorHandler(async (keyId, _opts, cmd) => {
+      const client = createClient(cmd);
+      await client.rawRequest(
+        "DELETE",
+        `/me/api-keys/${encodeURIComponent(String(keyId))}`
+      );
+      console.error("API key deleted.");
+    })
+  );
+  addExamples(del, [
+    {
+      description: "Delete an API key",
+      command: "geonic me api-keys delete <key-id>"
+    }
+  ]);
+}
+
 // src/commands/auth.ts
 function createLoginCommand() {
   return new Command("login").description("Authenticate and save token").option("--client-credentials", "Use OAuth 2.0 Client Credentials flow").option("--client-id <id>", "OAuth client ID").option("--client-secret <secret>", "OAuth client secret").option("--scope <scopes>", "OAuth scopes (space-separated)").option("--tenant-id <id>", "Tenant ID for scoped authentication").action(
@@ -1470,6 +1605,117 @@ function createMeAction() {
     printInfo(`Profile: ${profileName}`);
   });
 }
+async function fetchNonce(baseUrl, apiKey) {
+  const origin = new URL(baseUrl).origin;
+  const url = new URL("/auth/nonce", baseUrl).toString();
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Origin": origin
+    },
+    body: JSON.stringify({ api_key: apiKey })
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`Nonce request failed: ${text || `HTTP ${response.status}`}`);
+  }
+  return await response.json();
+}
+function createNonceCommand() {
+  return new Command("nonce").description("Get a nonce and PoW challenge for API key authentication").option("--api-key <key>", "API key to get nonce for").action(
+    withErrorHandler(async (...args) => {
+      const cmd = args[args.length - 1];
+      const nonceOpts = cmd.opts();
+      const globalOpts = resolveOptions(cmd);
+      const apiKey = nonceOpts.apiKey ?? globalOpts.apiKey;
+      if (!apiKey) {
+        printError("API key is required. Use --api-key or configure it with `geonic config set api-key <key>`.");
+        process.exit(1);
+      }
+      if (!globalOpts.url) {
+        printError("No URL configured. Use `geonic config set url <url>` or pass --url.");
+        process.exit(1);
+      }
+      const baseUrl = validateUrl(globalOpts.url);
+      const data = await fetchNonce(baseUrl, apiKey);
+      const format = getFormat(cmd);
+      outputResponse({ status: 200, headers: new Headers(), data }, format);
+    })
+  );
+}
+function hasLeadingZeroBits(hash, bits) {
+  const fullBytes = Math.floor(bits / 8);
+  const remainingBits = bits % 8;
+  for (let i = 0; i < fullBytes; i++) {
+    if (hash[i] !== 0) return false;
+  }
+  if (remainingBits > 0) {
+    const mask = 255 << 8 - remainingBits;
+    if ((hash[fullBytes] & mask) !== 0) return false;
+  }
+  return true;
+}
+var MAX_POW_ITERATIONS = 1e7;
+function solvePoW(challenge, difficulty) {
+  for (let nonce = 0; nonce < MAX_POW_ITERATIONS; nonce++) {
+    const hash = createHash("sha256").update(`${challenge}${nonce}`).digest();
+    if (hasLeadingZeroBits(hash, difficulty)) return nonce;
+  }
+  throw new Error(`PoW could not be solved within ${MAX_POW_ITERATIONS} iterations`);
+}
+function createTokenExchangeCommand() {
+  return new Command("token-exchange").description("Exchange API key for a session JWT via nonce + PoW").option("--api-key <key>", "API key to exchange").option("--save", "Save the obtained token to profile config").action(
+    withErrorHandler(async (...args) => {
+      const cmd = args[args.length - 1];
+      const exchangeOpts = cmd.opts();
+      const globalOpts = resolveOptions(cmd);
+      const apiKey = exchangeOpts.apiKey ?? globalOpts.apiKey;
+      if (!apiKey) {
+        printError("API key is required. Use --api-key or configure it with `geonic config set api-key <key>`.");
+        process.exit(1);
+      }
+      if (!globalOpts.url) {
+        printError("No URL configured. Use `geonic config set url <url>` or pass --url.");
+        process.exit(1);
+      }
+      const baseUrl = validateUrl(globalOpts.url);
+      const origin = new URL(baseUrl).origin;
+      const nonceData = await fetchNonce(baseUrl, apiKey);
+      printInfo(`Nonce received. Solving PoW (difficulty=${nonceData.difficulty})...`);
+      const powNonce = solvePoW(nonceData.challenge, nonceData.difficulty);
+      const tokenUrl = new URL("/oauth/token", baseUrl).toString();
+      const tokenResponse = await fetch(tokenUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Origin": origin
+        },
+        body: JSON.stringify({
+          grant_type: "api_key",
+          api_key: apiKey,
+          nonce: nonceData.nonce,
+          proof: String(powNonce)
+        })
+      });
+      if (!tokenResponse.ok) {
+        const text = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${text || `HTTP ${tokenResponse.status}`}`);
+      }
+      const tokenData = await tokenResponse.json();
+      if (exchangeOpts.save) {
+        const config = loadConfig(globalOpts.profile);
+        config.token = tokenData.access_token;
+        saveConfig(config, globalOpts.profile);
+        printSuccess("Token exchange successful. Token saved to config.");
+      } else {
+        const format = getFormat(cmd);
+        outputResponse({ status: tokenResponse.status, headers: tokenResponse.headers, data: tokenData }, format);
+        printSuccess("Token exchange successful.");
+      }
+    })
+  );
+}
 function registerAuthCommands(program2) {
   const auth = program2.command("auth").description("Manage authentication");
   const login = createLoginCommand();
@@ -1500,6 +1746,22 @@ function registerAuthCommands(program2) {
     }
   ]);
   auth.addCommand(logout);
+  const nonce = createNonceCommand();
+  addExamples(nonce, [
+    {
+      description: "Get a nonce for API key authentication",
+      command: "geonic auth nonce --api-key gdb_abcdef..."
+    }
+  ]);
+  auth.addCommand(nonce);
+  const tokenExchange = createTokenExchangeCommand();
+  addExamples(tokenExchange, [
+    {
+      description: "Exchange API key for a JWT and save it",
+      command: "geonic auth token-exchange --api-key gdb_abcdef... --save"
+    }
+  ]);
+  auth.addCommand(tokenExchange);
   const me = program2.command("me").description("Display current authenticated user and manage user resources");
   const meInfo = me.command("info", { isDefault: true, hidden: true }).description("Display current authenticated user").action(createMeAction());
   addExamples(me, [
@@ -1510,6 +1772,10 @@ function registerAuthCommands(program2) {
     {
       description: "List your OAuth clients",
       command: "geonic me oauth-clients list"
+    },
+    {
+      description: "List your API keys",
+      command: "geonic me api-keys list"
     }
   ]);
   addExamples(meInfo, [
@@ -1519,6 +1785,7 @@ function registerAuthCommands(program2) {
     }
   ]);
   addMeOAuthClientsSubcommand(me);
+  addMeApiKeysSubcommand(me);
   program2.addCommand(createLoginCommand(), { hidden: true });
   program2.addCommand(createLogoutCommand(), { hidden: true });
   const hiddenWhoami = new Command("whoami").description("Display current authenticated user").action(createMeAction());
@@ -3065,6 +3332,203 @@ function registerCaddeCommand(parent) {
   ]);
 }
 
+// src/commands/admin/api-keys.ts
+function validateOrigins(body, opts) {
+  if (opts.origins !== void 0) {
+    const origins = String(opts.origins).split(",").map((s) => s.trim()).filter(Boolean);
+    if (origins.length === 0) {
+      printError("allowedOrigins must contain at least 1 item. Use '*' to allow all origins.");
+      process.exit(1);
+    }
+  }
+  if (body && typeof body === "object" && "allowedOrigins" in body) {
+    const origins = body.allowedOrigins;
+    if (Array.isArray(origins) && origins.filter((o) => typeof o === "string" && o.trim() !== "").length === 0) {
+      printError("allowedOrigins must contain at least 1 item. Use '*' to allow all origins.");
+      process.exit(1);
+    }
+  }
+}
+function buildBodyFromFlags(opts) {
+  const payload = {};
+  if (opts.name) payload.name = opts.name;
+  if (opts.scopes) payload.allowedScopes = opts.scopes.split(",").map((s) => s.trim()).filter(Boolean);
+  if (opts.origins) payload.allowedOrigins = opts.origins.split(",").map((s) => s.trim()).filter(Boolean);
+  if (opts.entityTypes) payload.allowedEntityTypes = opts.entityTypes.split(",").map((s) => s.trim()).filter(Boolean);
+  if (opts.rateLimit) {
+    const raw = String(opts.rateLimit).trim();
+    if (!/^\d+$/.test(raw)) {
+      printError("--rate-limit must be a positive integer.");
+      process.exit(1);
+    }
+    const perMinute = Number(raw);
+    if (perMinute <= 0) {
+      printError("--rate-limit must be a positive integer.");
+      process.exit(1);
+    }
+    payload.rateLimit = { perMinute };
+  }
+  if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
+  if (opts.tenantId) payload.tenantId = opts.tenantId;
+  return payload;
+}
+function registerApiKeysCommand(parent) {
+  const apiKeys = parent.command("api-keys").description("Manage API keys");
+  const list = apiKeys.command("list").description("List all API keys").option("--tenant-id <id>", "Filter by tenant ID").action(
+    withErrorHandler(async (_opts, cmd) => {
+      const opts = cmd.opts();
+      const client = createClient(cmd);
+      const format = getFormat(cmd);
+      const params = {};
+      if (opts.tenantId) params.tenantId = opts.tenantId;
+      const response = await client.rawRequest("GET", "/admin/api-keys", {
+        params
+      });
+      outputResponse(response, format);
+    })
+  );
+  addExamples(list, [
+    {
+      description: "List all API keys",
+      command: "geonic admin api-keys list"
+    },
+    {
+      description: "List API keys for a specific tenant",
+      command: "geonic admin api-keys list --tenant-id <tenant-id>"
+    }
+  ]);
+  const get = apiKeys.command("get <keyId>").description("Get an API key by ID").action(
+    withErrorHandler(async (keyId, _opts, cmd) => {
+      const client = createClient(cmd);
+      const format = getFormat(cmd);
+      const response = await client.rawRequest(
+        "GET",
+        `/admin/api-keys/${encodeURIComponent(String(keyId))}`
+      );
+      outputResponse(response, format);
+    })
+  );
+  addExamples(get, [
+    {
+      description: "Get an API key by ID",
+      command: "geonic admin api-keys get <key-id>"
+    }
+  ]);
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--tenant-id <id>", "Tenant ID").option("--save", "Save the API key to profile config").action(
+    withErrorHandler(async (json, _opts, cmd) => {
+      const opts = cmd.opts();
+      validateOrigins(void 0, opts);
+      let body;
+      if (json) {
+        body = await parseJsonInput(json);
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.tenantId) {
+        body = buildBodyFromFlags(opts);
+      } else {
+        body = await parseJsonInput();
+      }
+      validateOrigins(body, {});
+      const client = createClient(cmd);
+      const format = getFormat(cmd);
+      const response = await client.rawRequest("POST", "/admin/api-keys", {
+        body
+      });
+      const data = response.data;
+      if (opts.save) {
+        const globalOpts = resolveOptions(cmd);
+        const key = data.key;
+        if (!key) {
+          printError("Response missing key. API key was created, but it could not be saved.");
+          outputResponse(response, format);
+          process.exitCode = 1;
+          return;
+        }
+        const config = loadConfig(globalOpts.profile);
+        config.apiKey = key;
+        saveConfig(config, globalOpts.profile);
+        console.error("API key saved to config. X-Api-Key header will be sent automatically.");
+      } else {
+        printWarning("Save the API key now \u2014 it will not be shown again. Use --save to store it automatically.");
+      }
+      outputResponse(response, format);
+      console.error("API key created.");
+    })
+  );
+  addExamples(create, [
+    {
+      description: "Create an API key with flags",
+      command: "geonic admin api-keys create --name my-key --scopes entities:read,entities:write --origins '*'"
+    },
+    {
+      description: "Create an API key with DPoP required",
+      command: "geonic admin api-keys create --name my-key --dpop-required"
+    },
+    {
+      description: "Create an API key from JSON and save to config",
+      command: "geonic admin api-keys create @key.json --save"
+    }
+  ]);
+  const update = apiKeys.command("update <keyId> [json]").description("Update an API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--no-dpop-required", "Disable DPoP token binding").action(
+    withErrorHandler(
+      async (keyId, json, _opts, cmd) => {
+        const opts = cmd.opts();
+        validateOrigins(void 0, opts);
+        let body;
+        if (json) {
+          body = await parseJsonInput(json);
+        } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
+          body = buildBodyFromFlags(opts);
+        } else {
+          body = await parseJsonInput();
+        }
+        validateOrigins(body, {});
+        const client = createClient(cmd);
+        const format = getFormat(cmd);
+        const response = await client.rawRequest(
+          "PATCH",
+          `/admin/api-keys/${encodeURIComponent(String(keyId))}`,
+          { body }
+        );
+        outputResponse(response, format);
+        console.error("API key updated.");
+      }
+    )
+  );
+  addExamples(update, [
+    {
+      description: "Update an API key name",
+      command: "geonic admin api-keys update <key-id> --name new-name"
+    },
+    {
+      description: "Enable DPoP requirement",
+      command: "geonic admin api-keys update <key-id> --dpop-required"
+    },
+    {
+      description: "Disable DPoP requirement",
+      command: "geonic admin api-keys update <key-id> --no-dpop-required"
+    },
+    {
+      description: "Update an API key from a JSON file",
+      command: "geonic admin api-keys update <key-id> @key.json"
+    }
+  ]);
+  const del = apiKeys.command("delete <keyId>").description("Delete an API key").action(
+    withErrorHandler(async (keyId, _opts, cmd) => {
+      const client = createClient(cmd);
+      await client.rawRequest(
+        "DELETE",
+        `/admin/api-keys/${encodeURIComponent(String(keyId))}`
+      );
+      console.error("API key deleted.");
+    })
+  );
+  addExamples(del, [
+    {
+      description: "Delete an API key",
+      command: "geonic admin api-keys delete <key-id>"
+    }
+  ]);
+}
+
 // src/commands/admin/index.ts
 function registerAdminCommand(program2) {
   const admin = program2.command("admin").description("Manage admin resources");
@@ -3072,6 +3536,7 @@ function registerAdminCommand(program2) {
   registerUsersCommand(admin);
   registerPoliciesCommand(admin);
   registerOAuthClientsCommand(admin);
+  registerApiKeysCommand(admin);
   registerCaddeCommand(admin);
 }