wiki/decisions/2026-07-03-service-key-billing-admin-metrics.md
ADR: Service-Key Protected Billing Admin Metrics
Date: 2026-07-03 Status: Accepted
Context
Scout is moving from local utility into hosted beta service. The current hosted system already records tenants, API keys, purchases, credit balances, and usage ledger events, but operator visibility was split between tenant-facing hosted endpoints and SSH-only SQLite scripts. That is too hidden for a SaaS-style beta because operators need quick measurement of signups, usage, purchases, credits, and revenue without exposing secrets.
Decision
Add GET /v1/billing/admin/metrics, protected by the service X-API-Key, and
allow that service-key route even when SCOUT_PUBLIC_HOSTED_ONLY=true.
Rationale
The endpoint gives Scout an operator monitoring primitive that can be used by
scripts, dashboards, or future internal admin pages. It complements the
tenant-facing /v1/hosted/me, /v1/hosted/usage, and /v1/hosted/purchases
routes without turning tenant APIs into admin APIs.
The response is deliberately non-secret. It can include account ids, tenant ids, key ids, email, names, plan, balances, purchase package metadata, usage actions, credits consumed, and aggregate totals. It must not include raw hosted API keys, key hashes, Stripe secrets, SMTP secrets, or payment details.
Alternatives Considered
| Option | Why rejected |
|---|---|
| SSH-only SQLite scripts | Useful for emergency operations, but too hidden for hosted beta measurement and hard to automate from other operator tools. |
| Public metrics endpoint | Unsafe because account, usage, and purchase data belong behind operator authorization. |
| Tenant-only metrics | Insufficient for beta operations because operators need cross-account signup, usage, purchase, and revenue totals. |
Consequences
SCOUT_API_KEY/service key becomes the operator credential for the metrics API and must be protected like any SaaS admin credential.- Hosted-only middleware must continue blocking local/admin routes while
explicitly allowing
/v1/billing/admin/*only with the correct service key. - Future dashboards can build on this endpoint instead of scraping SSH command output.
- The endpoint should remain non-secret and receive regression tests for auth boundaries and secret leakage.