# Create and Manage API Tokens

**ID:** DEV-001
**Priority:** High
**Status:** Planned

## User Story
As a developer, I want to create and manage API tokens so that I can integrate my applications with the identity provider programmatically.

## Acceptance Criteria
- [ ] Developer can create new API tokens with custom names
- [ ] Token is shown once at creation (cannot be retrieved later)
- [ ] Developer can set token expiration (or no expiration)
- [ ] Developer can set token scopes/permissions
- [ ] List all tokens with creation date and last used
- [ ] Revoke individual tokens
- [ ] Revoke all tokens at once
- [ ] Rate limiting information shown per token

## Technical Notes
- ApiTokenManager exists with basic infrastructure
- `loginWithApiToken` endpoint available
- Need UI for token management (currently backend only)
- Tokens should be hashed before storage (show once)
- Consider token prefixes for easy identification (idp_...)

## Related TODOs
- Partial implementation in ApiTokenManager