# Machine Keys API

The Machine Keys API manages tenant-bound public keys after bootstrap.

All routes require a valid Abbotik bearer token with root or full tenant access.

## Endpoint Summary

| Method | Path | Description |
|--------|------|-------------|
| GET | [`/api/user/machine-keys`](GET.md) | List tenant machine keys with fingerprint-first metadata. |
| POST | [`/api/user/machine-keys`](POST.md) | Add a public key bound to a tenant-local user. |
| POST | [`/api/user/machine-keys/rotate`](rotate/POST.md) | Rotate a machine key with an overlap window. |
| DELETE | [`/api/user/machine-keys/:key_id`](:key_id/DELETE.md) | Revoke a tenant machine key. |

## LLM Navigation Notes

Use the exact router-shaped docs paths:

- `/docs/api/user/machine-keys/GET`
- `/docs/api/user/machine-keys/POST`
- `/docs/api/user/machine-keys/rotate/POST`
- `/docs/api/user/machine-keys/key_id/DELETE`