Summary
Add support for generating team keys server-side so that clients never need to handle private key material.
Current Behavior
POST /api/teams/:id/keys requires { name, secret_key } — the client must generate the key and send it. This means the private key exists in client memory during onboarding, even if only briefly.
Proposed Behavior
When secret_key is omitted from the request, Keycast generates the keypair server-side:
POST /api/teams/:id/keys { name, secret_key } — import mode (existing behavior, unchanged)POST /api/teams/:id/keys { name } — generate mode (new, key never leaves server)
Both return the same PublicStoredKey response (pubkey only, no secret).
Motivation
For new restaurant onboarding, there is no pre-existing key to import. The client currently generates a key client-side solely to send it to Keycast — the client has no use for the private key itself. Server-side generation eliminates this unnecessary exposure.
Once this endpoint is available, the client-side key generation workaround in the Synvya client (NewRestaurantSetup.tsx) will be removed in favor of calling the generate endpoint directly.
Summary
Add support for generating team keys server-side so that clients never need to handle private key material.
Current Behavior
POST /api/teams/:id/keysrequires{ name, secret_key }— the client must generate the key and send it. This means the private key exists in client memory during onboarding, even if only briefly.Proposed Behavior
When
secret_keyis omitted from the request, Keycast generates the keypair server-side:POST /api/teams/:id/keys { name, secret_key }— import mode (existing behavior, unchanged)POST /api/teams/:id/keys { name }— generate mode (new, key never leaves server)Both return the same
PublicStoredKeyresponse (pubkey only, no secret).Motivation
For new restaurant onboarding, there is no pre-existing key to import. The client currently generates a key client-side solely to send it to Keycast — the client has no use for the private key itself. Server-side generation eliminates this unnecessary exposure.
Once this endpoint is available, the client-side key generation workaround in the Synvya client (
NewRestaurantSetup.tsx) will be removed in favor of calling the generate endpoint directly.