molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(blog): remove fake /org/tokens/:id/logs endpoint reference

Browse Source 
The monitoring section referenced GET /org/tokens/:id/logs which does
not exist. The org token API only exposes List/Create/Revoke
(GET/POST/DELETE /org/tokens). Per-token activity logs via API are
a planned feature, not yet built.

Fixes: molecule-core#1914

- Replaced fake curl example with Canvas Activity Log path
- Added roadmap note: per-token activity logs via API (planned)
- Updated footer to include per-token activity logs on roadmap
- Kept the operational guidance (monitor call patterns, revoke if
  suspicious) since the principle is correct even if the API is TBD
This commit is contained in:
Molecule AI · documentation-specialist 2026-04-23 22:38:59 +00:00
parent 69408ab61a
commit a14e361c18
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/blog/2026-04-22-ai-agents-org-scoped-keys/index.md
View File

@ -68,16 +68,13 @@ Until role scoping ships: name your keys well, monitor their usage, and treat th
## Monitoring what your agents call
Once an agent is running on an org-scoped key, the audit log is your instrument panel:
Once an agent is running on an org-scoped key, you monitor it the same way you'd monitor any long-lived service credential:
```bash
curl https://acme.moleculesai.app/org/tokens/ci-agent-prod_abc123/logs \
-H "Authorization: Bearer $ADMIN_TOKEN"
```
**In Canvas:** Settings → Org API Keys → [key name] → Activity Log shows recent calls for that key.
Returns a paginated log of every call the key has made — timestamp, endpoint, response code, duration. Rotate this view into your observability stack and you have agent-level call attribution without any agent-side instrumentation.
**Per-token activity logs via API** (planned): a structured API endpoint for querying an org-scoped key's call history — timestamp, endpoint, response code, duration — is on the roadmap. Until it ships, the Canvas Activity Log is the primary monitoring interface.
If the call pattern changes — a monitoring agent suddenly starts calling `/workspaces POST` — that's a signal. Revoke the key, investigate, re-issue with tighter scope if needed.
If a monitoring agent's call pattern changes — it suddenly starts calling `/workspaces POST` instead of read-only endpoints — that's a signal. Revoke the key, investigate, and re-issue with tighter scope if needed.
## The security properties that survive agent compromise
@ -106,4 +103,4 @@ curl -X POST https://acme.moleculesai.app/org/tokens \
Store the returned plaintext token in your secret manager. Hand it to the agent. Monitor the key's usage in Settings → Org API Keys → [key name] → Activity Log.
*Org-scoped API keys shipped in PRs #1105, #1107, #1109, and #1110. Role scoping and per-workspace bindings are on the roadmap.*
*Org-scoped API keys shipped in PRs #1105, #1107, #1109, and #1110. Role scoping, per-workspace bindings, and per-token activity logs via API are on the roadmap.*