From be6612f45468524707276d8ed61262a6bdbaebf6 Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Thu, 11 Jun 2026 11:41:47 +0900
Subject: [PATCH 1/9] feat: allow knowledge base API keys to be scoped to a
 single dataset

Reintroduce the nullable api_tokens.dataset_id column (dropped in 2e9819ca5b28)
so dataset API keys can opt into per-knowledge-base scoping:

- NULL dataset_id keeps today's workspace-wide behavior, so every existing key
  and the existing /datasets/api-keys create route are unchanged.
- validate_dataset_token rejects a bound key for any other dataset, and for
  endpoints that carry no dataset id (e.g. list-all), with 403.
- CachedApiToken carries dataset_id with a None default so cache entries
  written before deploy keep deserializing.
- The per-dataset console routes in apikey.py (previously dead code that 500ed
  on a missing ApiToken.dataset_id) now create bound keys; their list returns
  bound keys plus workspace keys so the dataset page shows the full access
  picture.
- Frontend: the knowledge base API access popover gains an API keys entry; the
  secret key modal accepts datasetId, shows a scope column, and offers a
  workspace / this-knowledge-base scope choice on create. New strings are
  localized for all 23 locales.
---
 api/controllers/console/apikey.py             |  41 ++++-
 api/controllers/service_api/wraps.py          |   8 +
 ...f8a2c61d35_add_dataset_id_to_api_tokens.py |  40 +++++
 api/models/model.py                           |  20 ++-
 api/services/api_token_service.py             |   4 +
 .../controllers/console/test_apikey.py        | 135 +++++++++++++++-
 .../console/datasets/test_datasets.py         |   3 +
 .../controllers/console/test_apikey.py        |  44 +++++-
 .../controllers/service_api/test_wraps.py     | 130 ++++++++++++++++
 .../unit_tests/libs/test_api_token_cache.py   |  25 +++
 .../extra-info/__tests__/index.spec.tsx       | 145 ++++++++++++------
 .../api-access/__tests__/card.spec.tsx        |  55 +++++--
 .../api-access/__tests__/index.spec.tsx       |  14 ++
 .../datasets/extra-info/api-access/card.tsx   |  19 ++-
 .../datasets/extra-info/api-access/index.tsx  |  20 ++-
 .../__tests__/secret-key-modal.spec.tsx       | 102 ++++++++++++
 .../develop/secret-key/secret-key-modal.tsx   |  55 ++++++-
 web/i18n/ar-TN/app-api.json                   |   4 +
 web/i18n/de-DE/app-api.json                   |   4 +
 web/i18n/en-US/app-api.json                   |   4 +
 web/i18n/es-ES/app-api.json                   |   4 +
 web/i18n/fa-IR/app-api.json                   |   4 +
 web/i18n/fr-FR/app-api.json                   |   4 +
 web/i18n/hi-IN/app-api.json                   |   4 +
 web/i18n/id-ID/app-api.json                   |   4 +
 web/i18n/it-IT/app-api.json                   |   4 +
 web/i18n/ja-JP/app-api.json                   |   4 +
 web/i18n/ko-KR/app-api.json                   |   4 +
 web/i18n/nl-NL/app-api.json                   |   4 +
 web/i18n/pl-PL/app-api.json                   |   4 +
 web/i18n/pt-BR/app-api.json                   |   4 +
 web/i18n/ro-RO/app-api.json                   |   4 +
 web/i18n/ru-RU/app-api.json                   |   4 +
 web/i18n/sl-SI/app-api.json                   |   4 +
 web/i18n/th-TH/app-api.json                   |   4 +
 web/i18n/tr-TR/app-api.json                   |   4 +
 web/i18n/uk-UA/app-api.json                   |   4 +
 web/i18n/vi-VN/app-api.json                   |   4 +
 web/i18n/zh-Hans/app-api.json                 |   4 +
 web/i18n/zh-Hant/app-api.json                 |   4 +
 web/models/app.ts                             |   3 +
 web/service/knowledge/use-dataset.ts          |  11 ++
 42 files changed, 886 insertions(+), 80 deletions(-)
 create mode 100644 api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py

diff --git a/api/controllers/console/apikey.py b/api/controllers/console/apikey.py
index 57470dc9770..d3d57e35104 100644
--- a/api/controllers/console/apikey.py
+++ b/api/controllers/console/apikey.py
@@ -1,11 +1,12 @@
 from datetime import datetime
+from typing import override
 from uuid import UUID
 
 import flask_restx
 from flask_restx import Resource
 from flask_restx._http import HTTPStatus
 from pydantic import field_validator
-from sqlalchemy import delete, func, select
+from sqlalchemy import delete, func, or_, select
 from sqlalchemy.orm import sessionmaker
 from werkzeug.exceptions import Forbidden
 
@@ -34,6 +35,9 @@ class ApiKeyItem(ResponseModel):
     id: str
     type: str
     token: str
+    # Set only for dataset keys bound to a single knowledge base; None means the
+    # key is workspace-scoped (app keys are always None).
+    dataset_id: str | None = None
     last_used_at: int | None = None
     created_at: int | None = None
 
@@ -218,30 +222,55 @@ class AppApiKeyResource(BaseApiKeyResource):
 
 @console_ns.route("/datasets/<uuid:resource_id>/api-keys")
 class DatasetApiKeyListResource(BaseApiKeyListResource):
+    """Per-dataset API keys: keys created here are bound to a single dataset.
+
+    Binding is stored in ``ApiToken.dataset_id`` and enforced by
+    ``validate_dataset_token`` (controllers/service_api/wraps.py). Workspace-scoped
+    keys (NULL ``dataset_id``) are managed by ``DatasetApiKeyApi`` in
+    controllers/console/datasets/datasets.py.
+    """
+
     @console_ns.doc("get_dataset_api_keys")
-    @console_ns.doc(description="Get all API keys for a dataset")
+    @console_ns.doc(description="Get all API keys that can access a dataset")
     @console_ns.doc(params={"resource_id": "Dataset ID"})
     @console_ns.response(200, "API keys retrieved successfully", console_ns.models[ApiKeyList.__name__])
     @with_current_tenant_id
     def get(self, current_tenant_id: str, resource_id: UUID) -> dict[str, object]:
-        """Get all API keys for a dataset"""
+        """Get all API keys that can access a dataset"""
         return dump_response(ApiKeyList, self._get_api_key_list(str(resource_id), current_tenant_id))
 
+    @override
+    def _get_api_key_list(self, resource_id: str, current_tenant_id: str) -> ApiKeyList:
+        # Unlike the app list, this returns every key that can reach the dataset:
+        # keys bound to it plus the tenant's workspace-scoped (NULL dataset_id) keys,
+        # so the dataset page shows the full access picture rather than a subset.
+        _get_resource(resource_id, current_tenant_id, self.resource_model)
+        keys = db.session.scalars(
+            select(ApiToken).where(
+                ApiToken.type == self.resource_type,
+                ApiToken.tenant_id == current_tenant_id,
+                or_(ApiToken.dataset_id == resource_id, ApiToken.dataset_id.is_(None)),
+            )
+        ).all()
+        return ApiKeyList.model_validate({"data": keys}, from_attributes=True)
+
     @console_ns.doc("create_dataset_api_key")
-    @console_ns.doc(description="Create a new API key for a dataset")
+    @console_ns.doc(description="Create a new API key bound to a single dataset")
     @console_ns.doc(params={"resource_id": "Dataset ID"})
     @console_ns.response(201, "API key created successfully", console_ns.models[ApiKeyItem.__name__])
     @console_ns.response(400, "Maximum keys exceeded")
     @with_current_tenant_id
     @edit_permission_required
     def post(self, current_tenant_id: str, resource_id: UUID) -> tuple[dict[str, object], int]:
-        """Create a new API key for a dataset"""
+        """Create a new API key bound to a single dataset"""
         return dump_response(ApiKeyItem, self._create_api_key(str(resource_id), current_tenant_id)), 201
 
     resource_type = ApiTokenType.DATASET
     resource_model = Dataset
     resource_id_field = "dataset_id"
-    token_prefix = "ds-"
+    # Same prefix as workspace-scoped dataset keys (datasets.py); scope is carried
+    # by the dataset_id column, not the token text.
+    token_prefix = "dataset-"
 
 
 @console_ns.route("/datasets/<uuid:resource_id>/api-keys/<uuid:api_key_id>")
diff --git a/api/controllers/service_api/wraps.py b/api/controllers/service_api/wraps.py
index 013ea34a6ab..34b060be91d 100644
--- a/api/controllers/service_api/wraps.py
+++ b/api/controllers/service_api/wraps.py
@@ -262,6 +262,14 @@ def validate_dataset_token[R](view: Callable[..., R]) -> Callable[..., R]:
             except Exception:
                 logger.exception("Failed to parse dataset_id from positional args")
 
+        # A dataset-bound token (non-NULL dataset_id) may only call endpoints that
+        # carry its own dataset id; endpoints without one (e.g. list/create datasets)
+        # are rejected outright. Workspace-scoped tokens (dataset_id IS NULL) keep
+        # tenant-wide access, which preserves behavior for all keys created before
+        # per-dataset scoping existed.
+        if api_token.dataset_id and (not dataset_id or str(dataset_id) != str(api_token.dataset_id)):
+            raise Forbidden("The API key is not authorized to access this knowledge base.")
+
         if dataset_id:
             dataset_id = str(dataset_id)
             dataset = db.session.scalar(
diff --git a/api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py b/api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
new file mode 100644
index 00000000000..d81df685ffb
--- /dev/null
+++ b/api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
@@ -0,0 +1,40 @@
+"""add dataset_id to api_tokens
+
+Revision ID: e4f8a2c61d35
+Revises: 7bad07dc267d
+Create Date: 2026-06-10 09:00:00.000000
+
+Reintroduces the nullable `dataset_id` column on `api_tokens` (it was dropped in
+2e9819ca5b28 when dataset keys became tenant-scoped) to support API keys bound to
+a single dataset/knowledge base:
+
+    NULL      — workspace-scoped key (default; behavior of every pre-existing key).
+    <uuid>    — key may only access the bound dataset; enforced in
+                controllers/service_api/wraps.py::validate_dataset_token.
+
+No backfill is needed: NULL is the correct value for all existing rows. The column
+is nullable with no default, so this is a metadata-only change on PostgreSQL.
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+import models as models
+
+# revision identifiers, used by Alembic.
+revision = "e4f8a2c61d35"
+down_revision = "7bad07dc267d"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    with op.batch_alter_table("api_tokens", schema=None) as batch_op:
+        batch_op.add_column(sa.Column("dataset_id", models.types.StringUUID(), nullable=True))
+        batch_op.create_index("api_token_dataset_id_idx", ["dataset_id", "type"], unique=False)
+
+
+def downgrade():
+    with op.batch_alter_table("api_tokens", schema=None) as batch_op:
+        batch_op.drop_index("api_token_dataset_id_idx")
+        batch_op.drop_column("dataset_id")
diff --git a/api/models/model.py b/api/models/model.py
index 96ab7b0e6e2..8eac8d5a322 100644
--- a/api/models/model.py
+++ b/api/models/model.py
@@ -2184,18 +2184,36 @@ class Site(Base):
         return dify_config.APP_WEB_URL or request.url_root.rstrip("/")
 
 
-class ApiToken(Base):  # bug: this uses setattr so idk the field.
+class ApiToken(Base):
+    """API token for the service API.
+
+    Scoping rules:
+    - ``type`` = "app": ``app_id`` points at the app the key serves.
+    - ``type`` = "dataset": ``tenant_id`` is always set. ``dataset_id`` is NULL for
+      workspace-scoped keys (full access to every dataset in the tenant — the default
+      and the only behavior before the column was reintroduced) or set to bind the key
+      to a single dataset (least-privilege keys created from a knowledge base page).
+      Enforcement lives in ``validate_dataset_token`` (controllers/service_api/wraps.py);
+      cached copies must mirror this field (services/api_token_service.CachedApiToken).
+
+    Note: controllers/console/apikey.py assigns the *_id columns via ``setattr`` keyed
+    on ``resource_id_field``, so renaming ``app_id``/``dataset_id`` requires updating
+    those controllers too.
+    """
+
     __tablename__ = "api_tokens"
     __table_args__ = (
         sa.PrimaryKeyConstraint("id", name="api_token_pkey"),
         sa.Index("api_token_app_id_type_idx", "app_id", "type"),
         sa.Index("api_token_token_idx", "token", "type"),
         sa.Index("api_token_tenant_idx", "tenant_id", "type"),
+        sa.Index("api_token_dataset_id_idx", "dataset_id", "type"),
     )
 
     id = mapped_column(StringUUID, default=lambda: str(uuid4()))
     app_id = mapped_column(StringUUID, nullable=True)
     tenant_id = mapped_column(StringUUID, nullable=True)
+    dataset_id: Mapped[str | None] = mapped_column(StringUUID, nullable=True)
     type: Mapped[ApiTokenType] = mapped_column(EnumText(ApiTokenType, length=16), nullable=False)
     token: Mapped[str] = mapped_column(String(255), nullable=False)
     last_used_at = mapped_column(sa.DateTime, nullable=True)
diff --git a/api/services/api_token_service.py b/api/services/api_token_service.py
index e9d887195a7..bf44f3ab6b7 100644
--- a/api/services/api_token_service.py
+++ b/api/services/api_token_service.py
@@ -38,6 +38,9 @@ class CachedApiToken(BaseModel):
     id: str
     app_id: str | None
     tenant_id: str | None
+    # Defaults to None so cache entries written before this field existed keep
+    # deserializing; a validation failure here would 401 live tokens until TTL expiry.
+    dataset_id: str | None = None
     type: str
     token: str
     last_used_at: datetime | None
@@ -95,6 +98,7 @@ class ApiTokenCache:
             id=str(api_token.id),
             app_id=str(api_token.app_id) if api_token.app_id else None,
             tenant_id=str(api_token.tenant_id) if api_token.tenant_id else None,
+            dataset_id=str(api_token.dataset_id) if api_token.dataset_id else None,
             type=api_token.type,
             token=api_token.token,
             last_used_at=api_token.last_used_at,
diff --git a/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py b/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
index 8559501c898..d6118f06275 100644
--- a/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
+++ b/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from unittest.mock import MagicMock, patch
+from uuid import uuid4
 
 import pytest
 from flask import Flask
@@ -12,7 +13,8 @@ from sqlalchemy.orm import Session
 
 from models import Account
 from models.account import AccountStatus, TenantAccountRole
-from models.enums import ApiTokenType
+from models.dataset import Dataset
+from models.enums import ApiTokenType, DataSourceType
 from models.model import ApiToken, App, AppMode
 from tests.test_containers_integration_tests.controllers.console.helpers import (
     authenticate_console_client,
@@ -33,6 +35,28 @@ def setup_app(
     return test_client_with_containers, headers, app
 
 
+@pytest.fixture
+def setup_dataset(
+    db_session_with_containers: Session,
+    test_client_with_containers: FlaskClient,
+) -> tuple[FlaskClient, dict[str, str], Dataset]:
+    """Create an authenticated client with a dataset for per-dataset API key tests."""
+    account, tenant = create_console_account_and_tenant(db_session_with_containers)
+    dataset = Dataset(
+        tenant_id=tenant.id,
+        name=f"API Key Dataset {uuid4()}",
+        description="Dataset for API key scoping tests",
+        data_source_type=DataSourceType.UPLOAD_FILE,
+        created_by=account.id,
+        permission="only_me",
+        provider="vendor",
+    )
+    db_session_with_containers.add(dataset)
+    db_session_with_containers.commit()
+    headers = authenticate_console_client(test_client_with_containers, account)
+    return test_client_with_containers, headers, dataset
+
+
 @pytest.fixture(autouse=True)
 def cleanup_api_tokens(db_session_with_containers: Session):
     """Remove API tokens created during each test."""
@@ -184,3 +208,112 @@ class TestAppApiKeyResource:
         ):
             with pytest.raises(Forbidden):
                 BaseApiKeyResource.delete(resource, "rid", "kid", "tenant-id", non_admin)
+
+
+class TestDatasetApiKeyListResource:
+    """Tests for GET/POST /datasets/<resource_id>/api-keys (dataset-bound keys)."""
+
+    def test_create_dataset_bound_key(
+        self,
+        setup_dataset: tuple[FlaskClient, dict[str, str], Dataset],
+        db_session_with_containers: Session,
+    ) -> None:
+        client, headers, dataset = setup_dataset
+
+        resp = client.post(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+
+        assert resp.status_code == 201
+        assert resp.json is not None
+        assert resp.json["token"].startswith("dataset-")
+        assert resp.json["dataset_id"] == dataset.id
+        api_token = db_session_with_containers.scalar(select(ApiToken).where(ApiToken.id == resp.json["id"]))
+        assert api_token is not None
+        assert api_token.dataset_id == dataset.id
+        assert api_token.tenant_id == dataset.tenant_id
+        assert api_token.type == ApiTokenType.DATASET
+
+    def test_list_includes_bound_and_workspace_scoped_keys(
+        self,
+        setup_dataset: tuple[FlaskClient, dict[str, str], Dataset],
+        db_session_with_containers: Session,
+    ) -> None:
+        client, headers, dataset = setup_dataset
+
+        # A bound key via the per-dataset route and a workspace key via the tenant route.
+        bound_resp = client.post(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+        assert bound_resp.status_code == 201
+        workspace_resp = client.post("/console/api/datasets/api-keys", headers=headers)
+        assert workspace_resp.status_code == 200
+
+        resp = client.get(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+
+        assert resp.status_code == 200
+        assert resp.json is not None
+        scopes = {item["id"]: item["dataset_id"] for item in resp.json["data"]}
+        assert bound_resp.json is not None
+        assert workspace_resp.json is not None
+        assert scopes[bound_resp.json["id"]] == dataset.id
+        assert scopes[workspace_resp.json["id"]] is None
+
+    def test_list_excludes_keys_bound_to_other_datasets(
+        self,
+        setup_dataset: tuple[FlaskClient, dict[str, str], Dataset],
+        db_session_with_containers: Session,
+    ) -> None:
+        client, headers, dataset = setup_dataset
+        other_dataset = Dataset(
+            tenant_id=dataset.tenant_id,
+            name=f"Other Dataset {uuid4()}",
+            description="Second dataset",
+            data_source_type=DataSourceType.UPLOAD_FILE,
+            created_by=dataset.created_by,
+            permission="only_me",
+            provider="vendor",
+        )
+        db_session_with_containers.add(other_dataset)
+        db_session_with_containers.commit()
+
+        other_resp = client.post(f"/console/api/datasets/{other_dataset.id}/api-keys", headers=headers)
+        assert other_resp.status_code == 201
+
+        resp = client.get(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+
+        assert resp.status_code == 200
+        assert resp.json is not None
+        assert other_resp.json is not None
+        assert other_resp.json["id"] not in {item["id"] for item in resp.json["data"]}
+
+    def test_workspace_route_creates_unbound_key(
+        self,
+        setup_dataset: tuple[FlaskClient, dict[str, str], Dataset],
+        db_session_with_containers: Session,
+    ) -> None:
+        """The pre-existing workspace route must keep creating NULL-scoped keys."""
+        client, headers, _ = setup_dataset
+
+        resp = client.post("/console/api/datasets/api-keys", headers=headers)
+
+        assert resp.status_code == 200
+        assert resp.json is not None
+        api_token = db_session_with_containers.scalar(select(ApiToken).where(ApiToken.id == resp.json["id"]))
+        assert api_token is not None
+        assert api_token.dataset_id is None
+
+
+class TestDatasetApiKeyResource:
+    """Tests for DELETE /datasets/<resource_id>/api-keys/<api_key_id>."""
+
+    def test_delete_bound_key(
+        self,
+        setup_dataset: tuple[FlaskClient, dict[str, str], Dataset],
+    ) -> None:
+        client, headers, dataset = setup_dataset
+        create_resp = client.post(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+        assert create_resp.json is not None
+
+        resp = client.delete(
+            f"/console/api/datasets/{dataset.id}/api-keys/{create_resp.json['id']}",
+            headers=headers,
+        )
+
+        assert resp.status_code == 204
diff --git a/api/tests/unit_tests/controllers/console/datasets/test_datasets.py b/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
index 101a640699f..491aa5b258d 100644
--- a/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
+++ b/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
@@ -1516,12 +1516,14 @@ class TestDatasetApiKeyApi:
         mock_key_1 = MagicMock(spec=ApiToken)
         mock_key_1.id = "key-1"
         mock_key_1.type = "dataset"
+        mock_key_1.dataset_id = None
         mock_key_1.token = "ds-abc"
         mock_key_1.last_used_at = None
         mock_key_1.created_at = None
         mock_key_2 = MagicMock(spec=ApiToken)
         mock_key_2.id = "key-2"
         mock_key_2.type = "dataset"
+        mock_key_2.dataset_id = None
         mock_key_2.token = "ds-def"
         mock_key_2.last_used_at = None
         mock_key_2.created_at = None
@@ -1548,6 +1550,7 @@ class TestDatasetApiKeyApi:
 
         mock_token = MagicMock()
         mock_token.id = "new-key-id"
+        mock_token.dataset_id = None
         mock_token.last_used_at = None
         mock_token.created_at = datetime.datetime(2024, 1, 1, 0, 0, 0, tzinfo=datetime.UTC)
 
diff --git a/api/tests/unit_tests/controllers/console/test_apikey.py b/api/tests/unit_tests/controllers/console/test_apikey.py
index 1517ff5ed8e..803fbfaef8d 100644
--- a/api/tests/unit_tests/controllers/console/test_apikey.py
+++ b/api/tests/unit_tests/controllers/console/test_apikey.py
@@ -9,9 +9,10 @@ from unittest.mock import patch
 import pytest
 from werkzeug.exceptions import Forbidden
 
-from controllers.console.apikey import BaseApiKeyListResource, BaseApiKeyResource
+from controllers.console.apikey import BaseApiKeyListResource, BaseApiKeyResource, DatasetApiKeyListResource
 from models import Account
 from models.account import AccountStatus, TenantAccountRole
+from models.dataset import Dataset
 from models.enums import ApiTokenType
 from models.model import ApiToken, App
 
@@ -69,6 +70,7 @@ def test_list_api_keys_uses_injected_tenant_id() -> None:
                 "id": "key-1",
                 "type": "app",
                 "token": "app-token",
+                "dataset_id": None,
                 "last_used_at": None,
                 "created_at": None,
             }
@@ -106,6 +108,46 @@ def test_create_api_key_uses_injected_tenant_id() -> None:
     db_mock.session.commit.assert_called_once()
 
 
+def test_create_dataset_api_key_binds_dataset_id() -> None:
+    """Creating a key on the per-dataset route must bind it to that dataset (ApiToken.dataset_id)."""
+    resource = DatasetApiKeyListResource()
+
+    def add_api_token(api_token: ApiToken) -> None:
+        api_token.id = "key-1"
+
+    with (
+        patch("controllers.console.apikey._get_resource") as get_resource,
+        patch("controllers.console.apikey.db") as db_mock,
+        patch("controllers.console.apikey.ApiToken.generate_api_key", return_value="dataset-generated-token"),
+    ):
+        db_mock.session.scalar.return_value = 0
+        db_mock.session.add.side_effect = add_api_token
+
+        api_token = resource._create_api_key("dataset-1", "tenant-1")
+
+    get_resource.assert_called_once_with("dataset-1", "tenant-1", Dataset)
+    assert api_token.dataset_id == "dataset-1"
+    assert api_token.tenant_id == "tenant-1"
+    assert api_token.type == ApiTokenType.DATASET
+    db_mock.session.commit.assert_called_once()
+
+
+def test_dataset_api_key_list_includes_workspace_scoped_keys() -> None:
+    """The per-dataset key list shows everything that can reach the dataset:
+    keys bound to it plus the tenant's workspace-scoped (NULL dataset_id) keys."""
+    resource = DatasetApiKeyListResource()
+
+    with (
+        patch("controllers.console.apikey._get_resource"),
+        patch("controllers.console.apikey.db") as db_mock,
+    ):
+        db_mock.session.scalars.return_value.all.return_value = []
+        resource._get_api_key_list("dataset-1", "tenant-1")
+
+    query_sql = str(db_mock.session.scalars.call_args.args[0])
+    assert "dataset_id IS NULL" in query_sql
+
+
 def test_delete_api_key_rejects_non_admin_account() -> None:
     resource = _make_key_resource()
 
diff --git a/api/tests/unit_tests/controllers/service_api/test_wraps.py b/api/tests/unit_tests/controllers/service_api/test_wraps.py
index 0b5c5d95b69..92baa03c8e0 100644
--- a/api/tests/unit_tests/controllers/service_api/test_wraps.py
+++ b/api/tests/unit_tests/controllers/service_api/test_wraps.py
@@ -516,6 +516,7 @@ class TestValidateDatasetToken:
         tenant_id = str(uuid.uuid4())
         mock_api_token = Mock()
         mock_api_token.tenant_id = tenant_id
+        mock_api_token.dataset_id = None
         mock_validate_token.return_value = mock_api_token
 
         mock_tenant = Mock()
@@ -554,6 +555,7 @@ class TestValidateDatasetToken:
         # Arrange
         mock_api_token = Mock()
         mock_api_token.tenant_id = str(uuid.uuid4())
+        mock_api_token.dataset_id = None
         mock_validate_token.return_value = mock_api_token
 
         mock_db.session.scalar.return_value = None
@@ -568,6 +570,134 @@ class TestValidateDatasetToken:
                 protected_view(dataset_id=str(uuid.uuid4()))
             assert "Dataset not found" in str(exc_info.value)
 
+    def _arrange_tenant_owner(self, mock_db, tenant_id: str) -> None:
+        """Stub the tenant-owner resolution shared by all success-path tests."""
+        mock_tenant = Mock()
+        mock_tenant.id = tenant_id
+        mock_tenant.status = TenantStatus.NORMAL
+
+        mock_ta = Mock()
+        mock_ta.account_id = str(uuid.uuid4())
+
+        mock_account = Mock()
+        mock_account.id = mock_ta.account_id
+        mock_account.current_tenant = mock_tenant
+
+        setup_mock_dataset_owner_execute_result(mock_db, mock_tenant, mock_ta)
+        mock_db.session.get.return_value = mock_account
+
+    @patch("controllers.service_api.wraps.user_logged_in")
+    @patch("controllers.service_api.wraps.db")
+    @patch("controllers.service_api.wraps.validate_and_get_api_token")
+    @patch("controllers.service_api.wraps.current_app")
+    def test_workspace_scoped_token_can_access_any_dataset(
+        self, mock_current_app, mock_validate_token, mock_db, mock_user_logged_in, app: Flask
+    ):
+        """A token without dataset binding (NULL dataset_id) keeps tenant-wide access."""
+        # Arrange
+        _configure_current_app_mock(mock_current_app)
+
+        tenant_id = str(uuid.uuid4())
+        dataset_id = str(uuid.uuid4())
+        mock_api_token = Mock()
+        mock_api_token.tenant_id = tenant_id
+        mock_api_token.dataset_id = None
+        mock_validate_token.return_value = mock_api_token
+
+        mock_dataset = Mock()
+        mock_dataset.id = dataset_id
+        mock_dataset.enable_api = True
+        mock_db.session.scalar.return_value = mock_dataset
+
+        self._arrange_tenant_owner(mock_db, tenant_id)
+
+        @validate_dataset_token
+        def protected_view(tenant_id, dataset_id=None):
+            return {"success": True}
+
+        # Act
+        with app.test_request_context("/", method="GET", headers={"Authorization": "Bearer test_token"}):
+            result = protected_view(dataset_id=dataset_id)
+
+        # Assert
+        assert result["success"] is True
+
+    @patch("controllers.service_api.wraps.user_logged_in")
+    @patch("controllers.service_api.wraps.db")
+    @patch("controllers.service_api.wraps.validate_and_get_api_token")
+    @patch("controllers.service_api.wraps.current_app")
+    def test_dataset_bound_token_allows_its_own_dataset(
+        self, mock_current_app, mock_validate_token, mock_db, mock_user_logged_in, app: Flask
+    ):
+        """A dataset-bound token can access the dataset it is bound to."""
+        # Arrange
+        _configure_current_app_mock(mock_current_app)
+
+        tenant_id = str(uuid.uuid4())
+        dataset_id = str(uuid.uuid4())
+        mock_api_token = Mock()
+        mock_api_token.tenant_id = tenant_id
+        mock_api_token.dataset_id = dataset_id
+        mock_validate_token.return_value = mock_api_token
+
+        mock_dataset = Mock()
+        mock_dataset.id = dataset_id
+        mock_dataset.enable_api = True
+        mock_db.session.scalar.return_value = mock_dataset
+
+        self._arrange_tenant_owner(mock_db, tenant_id)
+
+        @validate_dataset_token
+        def protected_view(tenant_id, dataset_id=None):
+            return {"success": True}
+
+        # Act
+        with app.test_request_context("/", method="GET", headers={"Authorization": "Bearer test_token"}):
+            result = protected_view(dataset_id=dataset_id)
+
+        # Assert
+        assert result["success"] is True
+
+    @patch("controllers.service_api.wraps.db")
+    @patch("controllers.service_api.wraps.validate_and_get_api_token")
+    def test_dataset_bound_token_rejects_other_dataset(self, mock_validate_token, mock_db, app: Flask):
+        """A dataset-bound token gets Forbidden for any other dataset in the tenant."""
+        # Arrange
+        mock_api_token = Mock()
+        mock_api_token.tenant_id = str(uuid.uuid4())
+        mock_api_token.dataset_id = str(uuid.uuid4())
+        mock_validate_token.return_value = mock_api_token
+
+        @validate_dataset_token
+        def protected_view(tenant_id, dataset_id=None):
+            return {"success": True}
+
+        # Act & Assert
+        with app.test_request_context("/", method="GET"):
+            with pytest.raises(Forbidden) as exc_info:
+                protected_view(dataset_id=str(uuid.uuid4()))
+            assert "not authorized" in str(exc_info.value)
+
+    @patch("controllers.service_api.wraps.db")
+    @patch("controllers.service_api.wraps.validate_and_get_api_token")
+    def test_dataset_bound_token_rejects_request_without_dataset_id(self, mock_validate_token, mock_db, app: Flask):
+        """A dataset-bound token cannot call endpoints that carry no dataset id (e.g. list-all)."""
+        # Arrange
+        mock_api_token = Mock()
+        mock_api_token.tenant_id = str(uuid.uuid4())
+        mock_api_token.dataset_id = str(uuid.uuid4())
+        mock_validate_token.return_value = mock_api_token
+
+        @validate_dataset_token
+        def protected_view(tenant_id):
+            return {"success": True}
+
+        # Act & Assert
+        with app.test_request_context("/", method="GET"):
+            with pytest.raises(Forbidden) as exc_info:
+                protected_view()
+            assert "not authorized" in str(exc_info.value)
+
 
 class TestFetchUserArg:
     """Test suite for FetchUserArg model"""
diff --git a/api/tests/unit_tests/libs/test_api_token_cache.py b/api/tests/unit_tests/libs/test_api_token_cache.py
index fa4c5e77a71..ba2e2bb454a 100644
--- a/api/tests/unit_tests/libs/test_api_token_cache.py
+++ b/api/tests/unit_tests/libs/test_api_token_cache.py
@@ -24,6 +24,7 @@ class TestApiTokenCache:
         self.mock_token.id = "test-token-id-123"
         self.mock_token.app_id = "test-app-id-456"
         self.mock_token.tenant_id = "test-tenant-id-789"
+        self.mock_token.dataset_id = None
         self.mock_token.type = "app"
         self.mock_token.token = "test-token-value-abc"
         self.mock_token.last_used_at = datetime(2026, 2, 3, 10, 0, 0)
@@ -47,6 +48,7 @@ class TestApiTokenCache:
         assert data["id"] == "test-token-id-123"
         assert data["app_id"] == "test-app-id-456"
         assert data["tenant_id"] == "test-tenant-id-789"
+        assert data["dataset_id"] is None
         assert data["type"] == "app"
         assert data["token"] == "test-token-value-abc"
         assert data["last_used_at"] == "2026-02-03T10:00:00"
@@ -58,6 +60,7 @@ class TestApiTokenCache:
         mock_token.id = "test-id"
         mock_token.app_id = None
         mock_token.tenant_id = None
+        mock_token.dataset_id = None
         mock_token.type = "dataset"
         mock_token.token = "test-token"
         mock_token.last_used_at = None
@@ -70,6 +73,24 @@ class TestApiTokenCache:
         assert data["tenant_id"] is None
         assert data["last_used_at"] is None
 
+    def test_serialize_dataset_bound_token(self):
+        """Test that a dataset-bound token round-trips its dataset_id through the cache."""
+        mock_token = MagicMock()
+        mock_token.id = "test-id"
+        mock_token.app_id = None
+        mock_token.tenant_id = "test-tenant"
+        mock_token.dataset_id = "test-dataset-id-123"
+        mock_token.type = "dataset"
+        mock_token.token = "test-token"
+        mock_token.last_used_at = None
+        mock_token.created_at = datetime(2026, 1, 1, 0, 0, 0)
+
+        serialized = ApiTokenCache._serialize_token(mock_token)
+        deserialized = ApiTokenCache._deserialize_token(serialized)
+
+        assert isinstance(deserialized, CachedApiToken)
+        assert deserialized.dataset_id == "test-dataset-id-123"
+
     def test_deserialize_token(self):
         """Test token deserialization."""
         cached_data = json.dumps(
@@ -94,6 +115,9 @@ class TestApiTokenCache:
         assert result.token == "test-token"
         assert result.last_used_at == datetime(2026, 2, 3, 10, 0, 0)
         assert result.created_at == datetime(2026, 1, 1, 0, 0, 0)
+        # Cache entries written before the dataset_id field existed must keep
+        # deserializing (otherwise live tokens 401 until the cache TTL expires).
+        assert result.dataset_id is None
 
     def test_deserialize_null_token(self):
         """Test deserialization of null token (cached miss)."""
@@ -218,6 +242,7 @@ class TestApiTokenCacheIntegration:
         mock_token.id = "id-123"
         mock_token.app_id = "app-456"
         mock_token.tenant_id = "tenant-789"
+        mock_token.dataset_id = None
         mock_token.type = "app"
         mock_token.token = "token-abc"
         mock_token.last_used_at = datetime(2026, 2, 3, 10, 0, 0)
diff --git a/web/app/components/datasets/extra-info/__tests__/index.spec.tsx b/web/app/components/datasets/extra-info/__tests__/index.spec.tsx
index de61894a11a..386f97c901d 100644
--- a/web/app/components/datasets/extra-info/__tests__/index.spec.tsx
+++ b/web/app/components/datasets/extra-info/__tests__/index.spec.tsx
@@ -1,4 +1,5 @@
 import type { DataSet, RelatedApp, RelatedAppResponse } from '@/models/datasets'
+import { Popover } from '@langgenius/dify-ui/popover'
 import { render, screen, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 import { describe, expect, it, vi } from 'vitest'
@@ -529,9 +530,12 @@ describe('ApiAccessCard', () => {
   describe('Rendering', () => {
     it('should render without crashing', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByText(/serviceApi\.enabled/i)).toBeInTheDocument()
@@ -539,9 +543,12 @@ describe('ApiAccessCard', () => {
 
     it('should display enabled status when API is enabled', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByText(/serviceApi\.enabled/i)).toBeInTheDocument()
@@ -549,9 +556,12 @@ describe('ApiAccessCard', () => {
 
     it('should display disabled status when API is disabled', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={false}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={false}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByText(/serviceApi\.disabled/i)).toBeInTheDocument()
@@ -559,9 +569,12 @@ describe('ApiAccessCard', () => {
 
     it('should render API Reference link', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByText(/overview\.apiInfo\.doc/i)).toBeInTheDocument()
@@ -569,9 +582,12 @@ describe('ApiAccessCard', () => {
 
     it('should render switch component', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByRole('switch')).toBeInTheDocument()
@@ -583,9 +599,12 @@ describe('ApiAccessCard', () => {
       const user = userEvent.setup()
 
       render(
-        <ApiAccessCard
-          apiEnabled={false}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={false}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -600,9 +619,12 @@ describe('ApiAccessCard', () => {
       const user = userEvent.setup()
 
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -617,9 +639,12 @@ describe('ApiAccessCard', () => {
       const user = userEvent.setup()
 
       render(
-        <ApiAccessCard
-          apiEnabled={false}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={false}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -635,9 +660,12 @@ describe('ApiAccessCard', () => {
       const user = userEvent.setup()
 
       render(
-        <ApiAccessCard
-          apiEnabled={false}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={false}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -653,9 +681,12 @@ describe('ApiAccessCard', () => {
 
     it('should have correct href for API Reference link', () => {
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const apiRefLink = screen.getByText(/overview\.apiInfo\.doc/i).closest('a')
@@ -668,9 +699,12 @@ describe('ApiAccessCard', () => {
       mockIsCurrentWorkspaceManager = false
 
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -681,9 +715,12 @@ describe('ApiAccessCard', () => {
       mockIsCurrentWorkspaceManager = true
 
       render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       const switchButton = screen.getByRole('switch')
@@ -694,15 +731,21 @@ describe('ApiAccessCard', () => {
   describe('Memoization', () => {
     it('should be memoized with React.memo', () => {
       const { rerender } = render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       rerender(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       expect(screen.getByText(/serviceApi\.enabled/i)).toBeInTheDocument()
@@ -711,15 +754,21 @@ describe('ApiAccessCard', () => {
     it('should use useCallback for handlers', () => {
       // Verify handlers are stable by rendering multiple times
       const { rerender } = render(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       rerender(
-        <ApiAccessCard
-          apiEnabled={true}
-        />,
+        <Popover open>
+          <ApiAccessCard
+            apiEnabled={true}
+            onOpenSecretKeyModal={vi.fn()}
+          />
+        </Popover>,
       )
 
       // Component should render without issues with memoized callbacks
diff --git a/web/app/components/datasets/extra-info/api-access/__tests__/card.spec.tsx b/web/app/components/datasets/extra-info/api-access/__tests__/card.spec.tsx
index 3f9eadc7050..f3367d5910c 100644
--- a/web/app/components/datasets/extra-info/api-access/__tests__/card.spec.tsx
+++ b/web/app/components/datasets/extra-info/api-access/__tests__/card.spec.tsx
@@ -1,3 +1,4 @@
+import { Popover } from '@langgenius/dify-ui/popover'
 import { fireEvent, render, screen, waitFor } from '@testing-library/react'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 import Card from '../card'
@@ -36,6 +37,16 @@ vi.mock('@/hooks/use-api-access-url', () => ({
   useDatasetApiAccessUrl: () => 'https://docs.dify.ai/api-reference/datasets',
 }))
 
+const onOpenSecretKeyModal = vi.fn()
+
+// Card renders a PopoverClose, which needs an enclosing Popover root.
+const renderCard = (apiEnabled: boolean) =>
+  render(
+    <Popover open>
+      <Card apiEnabled={apiEnabled} onOpenSecretKeyModal={onOpenSecretKeyModal} />
+    </Popover>,
+  )
+
 describe('Card (API Access)', () => {
   beforeEach(() => {
     vi.clearAllMocks()
@@ -47,33 +58,33 @@ describe('Card (API Access)', () => {
   // Rendering: verifies enabled/disabled states render correctly
   describe('Rendering', () => {
     it('should render without crashing when api is enabled', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       expect(screen.getByText(/serviceApi\.enabled/)).toBeInTheDocument()
     })
 
     it('should render without crashing when api is disabled', () => {
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
       expect(screen.getByText(/serviceApi\.disabled/)).toBeInTheDocument()
     })
 
     it('should render API access tip text', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       expect(screen.getByText(/appMenus\.apiAccessTip/)).toBeInTheDocument()
     })
 
     it('should render API reference link', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       const link = screen.getByRole('link')
       expect(link).toHaveAttribute('href', 'https://docs.dify.ai/api-reference/datasets')
     })
 
     it('should render API doc text in link', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       expect(screen.getByText(/apiInfo\.doc/)).toBeInTheDocument()
     })
 
     it('should open API reference link in new tab', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       const link = screen.getByRole('link')
       expect(link).toHaveAttribute('target', '_blank')
       expect(link).toHaveAttribute('rel', 'noopener noreferrer')
@@ -83,13 +94,13 @@ describe('Card (API Access)', () => {
   // Props: tests enabled/disabled visual states
   describe('Props', () => {
     it('should show green indicator text when enabled', () => {
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
       const enabledText = screen.getByText(/serviceApi\.enabled/)
       expect(enabledText).toHaveClass('text-text-success')
     })
 
     it('should show warning text when disabled', () => {
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
       const disabledText = screen.getByText(/serviceApi\.disabled/)
       expect(disabledText).toHaveClass('text-text-warning')
     })
@@ -99,7 +110,7 @@ describe('Card (API Access)', () => {
   describe('User Interactions', () => {
     it('should call enableDatasetServiceApi when toggling on', async () => {
       mockEnableApi.mockResolvedValue({ result: 'success' })
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
 
       const switchButton = screen.getByRole('switch')
       fireEvent.click(switchButton)
@@ -111,7 +122,7 @@ describe('Card (API Access)', () => {
 
     it('should call disableDatasetServiceApi when toggling off', async () => {
       mockDisableApi.mockResolvedValue({ result: 'success' })
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
 
       const switchButton = screen.getByRole('switch')
       fireEvent.click(switchButton)
@@ -123,7 +134,7 @@ describe('Card (API Access)', () => {
 
     it('should call mutateDatasetRes on successful toggle', async () => {
       mockEnableApi.mockResolvedValue({ result: 'success' })
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
 
       const switchButton = screen.getByRole('switch')
       fireEvent.click(switchButton)
@@ -135,7 +146,7 @@ describe('Card (API Access)', () => {
 
     it('should not call mutateDatasetRes when result is not success', async () => {
       mockEnableApi.mockResolvedValue({ result: 'fail' })
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
 
       const switchButton = screen.getByRole('switch')
       fireEvent.click(switchButton)
@@ -151,7 +162,7 @@ describe('Card (API Access)', () => {
   describe('Switch State', () => {
     it('should disable switch when user is not workspace manager', () => {
       mockIsCurrentWorkspaceManager = false
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
 
       const switchButton = screen.getByRole('switch')
       expect(switchButton).toHaveAttribute('aria-checked', 'true')
@@ -160,19 +171,33 @@ describe('Card (API Access)', () => {
 
     it('should enable switch when user is workspace manager', () => {
       mockIsCurrentWorkspaceManager = true
-      render(<Card apiEnabled={true} />)
+      renderCard(true)
 
       const switchButton = screen.getByRole('switch')
       expect(switchButton).not.toHaveAttribute('aria-disabled', 'true')
     })
   })
 
+  // API keys entry point
+  describe('API Keys Button', () => {
+    it('should render the API key action', () => {
+      renderCard(true)
+      expect(screen.getByText(/serviceApi\.card\.apiKey/)).toBeInTheDocument()
+    })
+
+    it('should call onOpenSecretKeyModal when the API key action is clicked', () => {
+      renderCard(true)
+      fireEvent.click(screen.getByText(/serviceApi\.card\.apiKey/))
+      expect(onOpenSecretKeyModal).toHaveBeenCalledTimes(1)
+    })
+  })
+
   // Edge Cases: tests boundary scenarios
   describe('Edge Cases', () => {
     it('should handle undefined dataset id', async () => {
       mockDatasetId = undefined
       mockEnableApi.mockResolvedValue({ result: 'success' })
-      render(<Card apiEnabled={false} />)
+      renderCard(false)
 
       const switchButton = screen.getByRole('switch')
       fireEvent.click(switchButton)
diff --git a/web/app/components/datasets/extra-info/api-access/__tests__/index.spec.tsx b/web/app/components/datasets/extra-info/api-access/__tests__/index.spec.tsx
index ff866921f2c..9cfb78429b4 100644
--- a/web/app/components/datasets/extra-info/api-access/__tests__/index.spec.tsx
+++ b/web/app/components/datasets/extra-info/api-access/__tests__/index.spec.tsx
@@ -20,6 +20,13 @@ vi.mock('@/service/knowledge/use-dataset', () => ({
   useDisableDatasetServiceApi: vi.fn(() => ({ mutateAsync: vi.fn() })),
 }))
 
+// Mock SecretKeyModal to avoid complex modal rendering
+vi.mock('@/app/components/develop/secret-key/secret-key-modal', () => ({
+  default: ({ isShow, datasetId }: { isShow: boolean, datasetId?: string }) => (
+    <div data-testid="secret-key-modal" data-show={String(isShow)} data-dataset-id={datasetId} />
+  ),
+}))
+
 afterEach(() => {
   cleanup()
 })
@@ -54,6 +61,13 @@ describe('ApiAccess', () => {
     expect((ApiAccess as unknown as { $$typeof: symbol }).$$typeof).toBe(Symbol.for('react.memo'))
   })
 
+  it('should pass the dataset id from context to the secret key modal', () => {
+    render(<ApiAccess expand={true} apiEnabled={true} />)
+    const modal = screen.getByTestId('secret-key-modal')
+    expect(modal).toHaveAttribute('data-dataset-id', 'test-dataset-id')
+    expect(modal).toHaveAttribute('data-show', 'false')
+  })
+
   describe('toggle functionality', () => {
     it('should toggle open state when trigger is clicked', async () => {
       const { container } = render(<ApiAccess expand={true} apiEnabled={true} />)
diff --git a/web/app/components/datasets/extra-info/api-access/card.tsx b/web/app/components/datasets/extra-info/api-access/card.tsx
index 0b7a5778538..a503132b93e 100644
--- a/web/app/components/datasets/extra-info/api-access/card.tsx
+++ b/web/app/components/datasets/extra-info/api-access/card.tsx
@@ -1,7 +1,8 @@
 import { cn } from '@langgenius/dify-ui/cn'
+import { PopoverClose } from '@langgenius/dify-ui/popover'
 import { StatusDot } from '@langgenius/dify-ui/status-dot'
 import { Switch } from '@langgenius/dify-ui/switch'
-import { RiArrowRightUpLine, RiBookOpenLine } from '@remixicon/react'
+import { RiArrowRightUpLine, RiBookOpenLine, RiKey2Line } from '@remixicon/react'
 import * as React from 'react'
 import { useCallback } from 'react'
 import { useTranslation } from 'react-i18next'
@@ -13,10 +14,12 @@ import { useDisableDatasetServiceApi, useEnableDatasetServiceApi } from '@/servi
 
 type CardProps = {
   apiEnabled: boolean
+  onOpenSecretKeyModal: () => void
 }
 
 const Card = ({
   apiEnabled,
+  onOpenSecretKeyModal,
 }: CardProps) => {
   const { t } = useTranslation()
   const datasetId = useDatasetDetailContextWithSelector(state => state.dataset?.id)
@@ -72,6 +75,20 @@ const Card = ({
       </div>
       <div className="h-px bg-divider-subtle"></div>
       <div className="p-1">
+        <PopoverClose
+          render={(
+            <button
+              type="button"
+              className="flex h-8 w-full items-center space-x-[7px] rounded-lg border-none bg-transparent px-2 text-left text-text-tertiary hover:bg-state-base-hover"
+              onClick={onOpenSecretKeyModal}
+            >
+              <RiKey2Line className="size-3.5 shrink-0" />
+              <div className="grow truncate system-sm-regular">
+                {t('serviceApi.card.apiKey', { ns: 'dataset' })}
+              </div>
+            </button>
+          )}
+        />
         <Link
           href={apiReferenceUrl}
           target="_blank"
diff --git a/web/app/components/datasets/extra-info/api-access/index.tsx b/web/app/components/datasets/extra-info/api-access/index.tsx
index 12d4a17f49c..24d7b79181e 100644
--- a/web/app/components/datasets/extra-info/api-access/index.tsx
+++ b/web/app/components/datasets/extra-info/api-access/index.tsx
@@ -2,9 +2,11 @@ import { cn } from '@langgenius/dify-ui/cn'
 import { Popover, PopoverContent, PopoverTrigger } from '@langgenius/dify-ui/popover'
 import { StatusDot } from '@langgenius/dify-ui/status-dot'
 import * as React from 'react'
-import { useState } from 'react'
+import { useCallback, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { ApiAggregate } from '@/app/components/base/icons/src/vender/knowledge'
+import SecretKeyModal from '@/app/components/develop/secret-key/secret-key-modal'
+import { useDatasetDetailContextWithSelector } from '@/context/dataset-detail'
 import Card from './card'
 
 type ApiAccessProps = {
@@ -18,6 +20,16 @@ const ApiAccess = ({
 }: ApiAccessProps) => {
   const { t } = useTranslation()
   const [open, setOpen] = useState(false)
+  const datasetId = useDatasetDetailContextWithSelector(state => state.dataset?.id)
+  const [isSecretKeyModalVisible, setIsSecretKeyModalVisible] = useState(false)
+
+  const handleOpenSecretKeyModal = useCallback(() => {
+    setIsSecretKeyModalVisible(true)
+  }, [])
+
+  const handleCloseSecretKeyModal = useCallback(() => {
+    setIsSecretKeyModalVisible(false)
+  }, [])
 
   return (
     <div className="p-3 pt-2">
@@ -52,9 +64,15 @@ const ApiAccess = ({
         >
           <Card
             apiEnabled={apiEnabled}
+            onOpenSecretKeyModal={handleOpenSecretKeyModal}
           />
         </PopoverContent>
       </Popover>
+      <SecretKeyModal
+        isShow={isSecretKeyModalVisible}
+        datasetId={datasetId}
+        onClose={handleCloseSecretKeyModal}
+      />
     </div>
   )
 }
diff --git a/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx b/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
index 00948180eb4..84f3eb13fed 100644
--- a/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
+++ b/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
@@ -70,6 +70,8 @@ vi.mock('@/service/use-apps', () => ({
 
 const mockDatasetApiKeysData = vi.fn().mockReturnValue({ data: [] })
 const mockIsDatasetApiKeysLoading = vi.fn().mockReturnValue(false)
+const mockDatasetScopedApiKeysData = vi.fn().mockReturnValue({ data: [] })
+const mockIsDatasetScopedApiKeysLoading = vi.fn().mockReturnValue(false)
 const mockInvalidateDatasetApiKeys = vi.fn()
 
 vi.mock('@/service/knowledge/use-dataset', () => ({
@@ -77,6 +79,10 @@ vi.mock('@/service/knowledge/use-dataset', () => ({
     data: mockDatasetApiKeysData(),
     isLoading: mockIsDatasetApiKeysLoading(),
   }),
+  useDatasetScopedApiKeys: (_datasetId: string | undefined, _options: unknown) => ({
+    data: mockDatasetScopedApiKeysData(),
+    isLoading: mockIsDatasetScopedApiKeysLoading(),
+  }),
   useInvalidateDatasetApiKeys: () => mockInvalidateDatasetApiKeys,
 }))
 
@@ -98,6 +104,8 @@ describe('SecretKeyModal', () => {
     mockIsAppApiKeysLoading.mockReturnValue(false)
     mockDatasetApiKeysData.mockReturnValue({ data: [] })
     mockIsDatasetApiKeysLoading.mockReturnValue(false)
+    mockDatasetScopedApiKeysData.mockReturnValue({ data: [] })
+    mockIsDatasetScopedApiKeysLoading.mockReturnValue(false)
   })
 
   afterEach(() => {
@@ -276,6 +284,50 @@ describe('SecretKeyModal', () => {
       })
     })
 
+    it('should create a dataset-bound key by default when datasetId is provided', async () => {
+      const user = userEvent.setup({ advanceTimers: vi.advanceTimersByTime })
+      await renderModal(<SecretKeyModal {...defaultProps} datasetId="dataset-123" />)
+
+      const createButton = screen.getByText('appApi.apiKeyModal.createNewSecretKey')
+      await act(async () => {
+        await user.click(createButton)
+      })
+
+      await waitFor(() => {
+        expect(mockCreateDatasetApikey).toHaveBeenCalledWith({
+          url: '/datasets/dataset-123/api-keys',
+          body: {},
+        })
+      })
+    })
+
+    it('should create a workspace key when the workspace scope is selected', async () => {
+      const user = userEvent.setup({ advanceTimers: vi.advanceTimersByTime })
+      await renderModal(<SecretKeyModal {...defaultProps} datasetId="dataset-123" />)
+
+      const workspaceScopeRadio = screen.getByText('appApi.apiKeyModal.scopeAllDatasets')
+      await act(async () => {
+        await user.click(workspaceScopeRadio)
+      })
+
+      const createButton = screen.getByText('appApi.apiKeyModal.createNewSecretKey')
+      await act(async () => {
+        await user.click(createButton)
+      })
+
+      await waitFor(() => {
+        expect(mockCreateDatasetApikey).toHaveBeenCalledWith({
+          url: '/datasets/api-keys',
+          body: {},
+        })
+      })
+    })
+
+    it('should not render the scope selector without datasetId', async () => {
+      await renderModal(<SecretKeyModal {...defaultProps} />)
+      expect(screen.queryByText('appApi.apiKeyModal.scopeThisDataset')).not.toBeInTheDocument()
+    })
+
     it('should show generate modal after creating key', async () => {
       const user = userEvent.setup({ advanceTimers: vi.advanceTimersByTime })
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
@@ -574,6 +626,56 @@ describe('SecretKeyModal', () => {
       })
     })
 
+    it('should delete a dataset-bound key via the per-dataset route', async () => {
+      mockDatasetScopedApiKeysData.mockReturnValue({
+        data: [
+          { id: 'dk-2', token: 'dataset-bound-key-123456', dataset_id: 'dataset-123', created_at: 1700000000, last_used_at: null },
+        ],
+      })
+      const user = userEvent.setup({ advanceTimers: vi.advanceTimersByTime })
+      await renderModal(<SecretKeyModal {...defaultProps} datasetId="dataset-123" />)
+
+      const actionButtons = document.body.querySelectorAll('button.action-btn')
+      const deleteButton = actionButtons[1]
+      await act(async () => {
+        await user.click(deleteButton!)
+        vi.runAllTimers()
+      })
+
+      await waitFor(() => {
+        expect(screen.getByText('appApi.actionMsg.deleteConfirmTitle')).toBeInTheDocument()
+      })
+      await flushTransitions()
+
+      const confirmButton = screen.getByText('common.operation.confirm')
+      await act(async () => {
+        await user.click(confirmButton)
+        vi.runAllTimers()
+      })
+
+      await waitFor(() => {
+        expect(mockDelDatasetApikey).toHaveBeenCalledWith({
+          url: '/datasets/dataset-123/api-keys/dk-2',
+          params: {},
+        })
+      })
+    })
+
+    it('should show the scope column for dataset keys', async () => {
+      mockDatasetScopedApiKeysData.mockReturnValue({
+        data: [
+          { id: 'dk-2', token: 'dataset-bound-key-123456', dataset_id: 'dataset-123', created_at: 1700000000, last_used_at: null },
+          { id: 'dk-3', token: 'dataset-workspace-key-123', dataset_id: null, created_at: 1700000000, last_used_at: null },
+        ],
+      })
+      await renderModal(<SecretKeyModal {...defaultProps} datasetId="dataset-123" />)
+
+      expect(screen.getByText('appApi.apiKeyModal.scope')).toBeInTheDocument()
+      // Bound key: the column label plus the selected radio option both use scopeThisDataset.
+      expect(screen.getAllByText('appApi.apiKeyModal.scopeThisDataset').length).toBeGreaterThanOrEqual(2)
+      expect(screen.getAllByText('appApi.apiKeyModal.scopeAllDatasets').length).toBeGreaterThanOrEqual(2)
+    })
+
     it('should invalidate dataset API keys after deleting', async () => {
       const user = userEvent.setup({ advanceTimers: vi.advanceTimersByTime })
       await renderModal(<SecretKeyModal {...defaultProps} />)
diff --git a/web/app/components/develop/secret-key/secret-key-modal.tsx b/web/app/components/develop/secret-key/secret-key-modal.tsx
index 7d949d7864e..46c61da006b 100644
--- a/web/app/components/develop/secret-key/secret-key-modal.tsx
+++ b/web/app/components/develop/secret-key/secret-key-modal.tsx
@@ -13,6 +13,8 @@ import {
 import { Button } from '@langgenius/dify-ui/button'
 import { cn } from '@langgenius/dify-ui/cn'
 import { Dialog, DialogContent, DialogTitle } from '@langgenius/dify-ui/dialog'
+import { Radio } from '@langgenius/dify-ui/radio'
+import { RadioGroup } from '@langgenius/dify-ui/radio-group'
 import { RiDeleteBinLine } from '@remixicon/react'
 import {
   useState,
@@ -31,20 +33,26 @@ import {
   createApikey as createDatasetApikey,
   delApikey as delDatasetApikey,
 } from '@/service/datasets'
-import { useDatasetApiKeys, useInvalidateDatasetApiKeys } from '@/service/knowledge/use-dataset'
+import { useDatasetApiKeys, useDatasetScopedApiKeys, useInvalidateDatasetApiKeys } from '@/service/knowledge/use-dataset'
 import { useAppApiKeys, useInvalidateAppApiKeys } from '@/service/use-apps'
 import SecretKeyGenerateModal from './secret-key-generate'
 import s from './style.module.css'
 
+type DatasetKeyScope = 'dataset' | 'workspace'
+
 type ISecretKeyModalProps = {
   isShow: boolean
   appId?: string
+  // When set (and appId is not), the modal manages keys for this knowledge base:
+  // it lists every key that can reach it and can create keys bound to it.
+  datasetId?: string
   onClose: () => void
 }
 
 const SecretKeyModal = ({
   isShow = false,
   appId,
+  datasetId,
   onClose,
 }: ISecretKeyModalProps) => {
   const { t } = useTranslation()
@@ -53,12 +61,15 @@ const SecretKeyModal = ({
   const [showConfirmDelete, setShowConfirmDelete] = useState(false)
   const [isVisible, setVisible] = useState(false)
   const [newKey, setNewKey] = useState<CreateApiKeyResponse | undefined>(undefined)
+  const [newKeyScope, setNewKeyScope] = useState<DatasetKeyScope>('dataset')
   const invalidateAppApiKeys = useInvalidateAppApiKeys()
   const invalidateDatasetApiKeys = useInvalidateDatasetApiKeys()
   const { data: appApiKeys, isLoading: isAppApiKeysLoading } = useAppApiKeys(appId, { enabled: !!appId && isShow })
-  const { data: datasetApiKeys, isLoading: isDatasetApiKeysLoading } = useDatasetApiKeys({ enabled: !appId && isShow })
-  const apiKeysList = appId ? appApiKeys : datasetApiKeys
-  const isApiKeysLoading = appId ? isAppApiKeysLoading : isDatasetApiKeysLoading
+  const { data: datasetApiKeys, isLoading: isDatasetApiKeysLoading } = useDatasetApiKeys({ enabled: !appId && !datasetId && isShow })
+  const { data: datasetScopedApiKeys, isLoading: isDatasetScopedApiKeysLoading } = useDatasetScopedApiKeys(datasetId, { enabled: !appId && isShow })
+  const isDatasetScope = !appId && !!datasetId
+  const apiKeysList = appId ? appApiKeys : (isDatasetScope ? datasetScopedApiKeys : datasetApiKeys)
+  const isApiKeysLoading = appId ? isAppApiKeysLoading : (isDatasetScope ? isDatasetScopedApiKeysLoading : isDatasetApiKeysLoading)
 
   const [delKeyID, setDelKeyId] = useState('')
 
@@ -67,10 +78,14 @@ const SecretKeyModal = ({
     if (!delKeyID)
       return
 
+    const deletedKey = apiKeysList?.data?.find(api => api.id === delKeyID)
     const delApikey = appId ? delAppApikey : delDatasetApikey
     const params = appId
       ? { url: `/apps/${appId}/api-keys/${delKeyID}`, params: {} }
-      : { url: `/datasets/api-keys/${delKeyID}`, params: {} }
+      // Bound keys are managed on the per-dataset route; workspace keys on the tenant route.
+      : deletedKey?.dataset_id
+        ? { url: `/datasets/${deletedKey.dataset_id}/api-keys/${delKeyID}`, params: {} }
+        : { url: `/datasets/api-keys/${delKeyID}`, params: {} }
     await delApikey(params)
     if (appId)
       invalidateAppApiKeys(appId)
@@ -81,7 +96,9 @@ const SecretKeyModal = ({
   const onCreate = async () => {
     const params = appId
       ? { url: `/apps/${appId}/api-keys`, body: {} }
-      : { url: '/datasets/api-keys', body: {} }
+      : isDatasetScope && newKeyScope === 'dataset'
+        ? { url: `/datasets/${datasetId}/api-keys`, body: {} }
+        : { url: '/datasets/api-keys', body: {} }
     const createApikey = appId ? createAppApikey : createDatasetApikey
     const res = await createApikey(params)
     setVisible(true)
@@ -92,6 +109,14 @@ const SecretKeyModal = ({
       invalidateDatasetApiKeys()
   }
 
+  const getScopeLabel = (keyDatasetId?: string | null) => {
+    if (!keyDatasetId)
+      return t('apiKeyModal.scopeAllDatasets', { ns: 'appApi' })
+    return isDatasetScope
+      ? t('apiKeyModal.scopeThisDataset', { ns: 'appApi' })
+      : t('apiKeyModal.scopeBoundDataset', { ns: 'appApi' })
+  }
+
   const generateToken = (token: string) => {
     return `${token.slice(0, 3)}...${token.slice(-20)}`
   }
@@ -133,6 +158,7 @@ const SecretKeyModal = ({
               <div className="mt-4 flex grow flex-col overflow-hidden">
                 <div className="flex h-9 shrink-0 items-center border-b border-divider-regular text-xs font-semibold text-text-tertiary">
                   <div className="w-64 shrink-0 px-3">{t('apiKeyModal.secretKey', { ns: 'appApi' })}</div>
+                  {!appId && <div className="w-[180px] shrink-0 px-3">{t('apiKeyModal.scope', { ns: 'appApi' })}</div>}
                   <div className="w-[200px] shrink-0 px-3">{t('apiKeyModal.created', { ns: 'appApi' })}</div>
                   <div className="w-[200px] shrink-0 px-3">{t('apiKeyModal.lastUsed', { ns: 'appApi' })}</div>
                   <div className="grow px-3"></div>
@@ -141,6 +167,7 @@ const SecretKeyModal = ({
                   {apiKeysList.data.map(api => (
                     <div className="flex h-9 items-center border-b border-divider-regular text-sm font-normal text-text-secondary" key={api.id}>
                       <div className="w-64 shrink-0 truncate px-3 font-mono">{generateToken(api.token)}</div>
+                      {!appId && <div className="w-[180px] shrink-0 truncate px-3">{getScopeLabel(api.dataset_id)}</div>}
                       <div className="w-[200px] shrink-0 truncate px-3">{formatTime(Number(api.created_at), t('dateTimeFormat', { ns: 'appLog' }) as string)}</div>
                       <div className="w-[200px] shrink-0 truncate px-3">{api.last_used_at ? formatTime(Number(api.last_used_at), t('dateTimeFormat', { ns: 'appLog' }) as string) : t('never', { ns: 'appApi' })}</div>
                       <div className="flex grow space-x-2 px-3">
@@ -162,6 +189,22 @@ const SecretKeyModal = ({
               </div>
             )
           }
+          {isDatasetScope && (
+            <RadioGroup
+              className="mt-4 flex items-center gap-4"
+              value={newKeyScope}
+              onValueChange={value => setNewKeyScope(value as DatasetKeyScope)}
+            >
+              <label className="flex cursor-pointer items-center gap-1.5 text-[13px] text-text-secondary">
+                <Radio value="dataset" />
+                {t('apiKeyModal.scopeThisDataset', { ns: 'appApi' })}
+              </label>
+              <label className="flex cursor-pointer items-center gap-1.5 text-[13px] text-text-secondary">
+                <Radio value="workspace" />
+                {t('apiKeyModal.scopeAllDatasets', { ns: 'appApi' })}
+              </label>
+            </RadioGroup>
+          )}
           <div className="flex">
             <Button className={`mt-4 flex shrink-0 ${s.autoWidth}`} onClick={onCreate} disabled={!currentWorkspace || !isCurrentWorkspaceEditor}>
               <PlusIcon className="mr-1 flex size-4 shrink-0" />
diff --git a/web/i18n/ar-TN/app-api.json b/web/i18n/ar-TN/app-api.json
index 22a28b31c98..8d2922266b2 100644
--- a/web/i18n/ar-TN/app-api.json
+++ b/web/i18n/ar-TN/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "تم الإنشاء",
   "apiKeyModal.generateTips": "احتفظ بهذا المفتاح في مكان آمن ويمكن الوصول إليه.",
   "apiKeyModal.lastUsed": "آخر استخدام",
+  "apiKeyModal.scope": "النطاق",
+  "apiKeyModal.scopeAllDatasets": "جميع قواعد المعرفة",
+  "apiKeyModal.scopeBoundDataset": "قاعدة معرفة واحدة",
+  "apiKeyModal.scopeThisDataset": "قاعدة المعرفة هذه فقط",
   "apiKeyModal.secretKey": "المفتاح السري",
   "apiServer": "خادم API",
   "chatMode.blocking": "نوع الحظر، في انتظار اكتمال التنفيذ وإرجاع النتائج. (قد يتم قطع الطلبات إذا كانت العملية طويلة)",
diff --git a/web/i18n/de-DE/app-api.json b/web/i18n/de-DE/app-api.json
index 1a18ff6cd69..37388addcef 100644
--- a/web/i18n/de-DE/app-api.json
+++ b/web/i18n/de-DE/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "ERSTELLT",
   "apiKeyModal.generateTips": "Bewahren Sie diesen Schlüssel an einem sicheren und zugänglichen Ort auf.",
   "apiKeyModal.lastUsed": "ZULETZT VERWENDET",
+  "apiKeyModal.scope": "BEREICH",
+  "apiKeyModal.scopeAllDatasets": "Alle Wissensdatenbanken",
+  "apiKeyModal.scopeBoundDataset": "Einzelne Wissensdatenbank",
+  "apiKeyModal.scopeThisDataset": "Nur diese Wissensdatenbank",
   "apiKeyModal.secretKey": "Geheimschlüssel",
   "apiServer": "API Server",
   "chatMode.blocking": "Blockierender Typ, wartet auf die Fertigstellung der Ausführung und gibt Ergebnisse zurück. (Anfragen können unterbrochen werden, wenn der Prozess lang ist)",
diff --git a/web/i18n/en-US/app-api.json b/web/i18n/en-US/app-api.json
index ec077174593..edf4f468e69 100644
--- a/web/i18n/en-US/app-api.json
+++ b/web/i18n/en-US/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CREATED",
   "apiKeyModal.generateTips": "Keep this key in a secure and accessible place.",
   "apiKeyModal.lastUsed": "LAST USED",
+  "apiKeyModal.scope": "SCOPE",
+  "apiKeyModal.scopeAllDatasets": "All knowledge bases",
+  "apiKeyModal.scopeBoundDataset": "Single knowledge base",
+  "apiKeyModal.scopeThisDataset": "This knowledge base only",
   "apiKeyModal.secretKey": "Secret Key",
   "apiServer": "API Server",
   "chatMode.blocking": "Blocking type, waiting for execution to complete and returning results. (Requests may be interrupted if the process is long)",
diff --git a/web/i18n/es-ES/app-api.json b/web/i18n/es-ES/app-api.json
index f62e44d2fc6..be19c774eb0 100644
--- a/web/i18n/es-ES/app-api.json
+++ b/web/i18n/es-ES/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CREADA",
   "apiKeyModal.generateTips": "Guarda esta clave en un lugar seguro y accesible.",
   "apiKeyModal.lastUsed": "ÚLTIMO USO",
+  "apiKeyModal.scope": "ALCANCE",
+  "apiKeyModal.scopeAllDatasets": "Todas las bases de conocimiento",
+  "apiKeyModal.scopeBoundDataset": "Base de conocimiento única",
+  "apiKeyModal.scopeThisDataset": "Solo esta base de conocimiento",
   "apiKeyModal.secretKey": "Clave secreta",
   "apiServer": "Servidor de API",
   "chatMode.blocking": "Tipo de bloqueo, esperando a que se complete la ejecución y devuelva los resultados. (Las solicitudes pueden interrumpirse si el proceso es largo)",
diff --git a/web/i18n/fa-IR/app-api.json b/web/i18n/fa-IR/app-api.json
index 9ecab73f2fd..8b21a75d939 100644
--- a/web/i18n/fa-IR/app-api.json
+++ b/web/i18n/fa-IR/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "ایجاد شده",
   "apiKeyModal.generateTips": "این کلید را در مکانی امن و قابل دسترس نگه دارید.",
   "apiKeyModal.lastUsed": "آخرین استفاده",
+  "apiKeyModal.scope": "محدوده",
+  "apiKeyModal.scopeAllDatasets": "همه پایگاه‌های دانش",
+  "apiKeyModal.scopeBoundDataset": "یک پایگاه دانش",
+  "apiKeyModal.scopeThisDataset": "فقط این پایگاه دانش",
   "apiKeyModal.secretKey": "کلید مخفی",
   "apiServer": "سرور API",
   "chatMode.blocking": "نوع مسدودکننده، منتظر اتمام اجرا و بازگشت نتایج. (درخواست‌ها ممکن است در صورت طولانی بودن فرآیند قطع شوند)",
diff --git a/web/i18n/fr-FR/app-api.json b/web/i18n/fr-FR/app-api.json
index 4d586a29253..5c3046b841b 100644
--- a/web/i18n/fr-FR/app-api.json
+++ b/web/i18n/fr-FR/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CRÉÉ",
   "apiKeyModal.generateTips": "Gardez cette clé dans un endroit sûr et accessible.",
   "apiKeyModal.lastUsed": "DERNIÈRE UTILISATION",
+  "apiKeyModal.scope": "PORTÉE",
+  "apiKeyModal.scopeAllDatasets": "Toutes les bases de connaissances",
+  "apiKeyModal.scopeBoundDataset": "Base de connaissances unique",
+  "apiKeyModal.scopeThisDataset": "Cette base de connaissances uniquement",
   "apiKeyModal.secretKey": "Clé Secrète",
   "apiServer": "Serveur API",
   "chatMode.blocking": "Type de blocage, en attente de l'exécution pour terminer et renvoyer les résultats. (Les demandes peuvent être interrompues si le processus est long)",
diff --git a/web/i18n/hi-IN/app-api.json b/web/i18n/hi-IN/app-api.json
index e8b408293ac..5b5da5c0adb 100644
--- a/web/i18n/hi-IN/app-api.json
+++ b/web/i18n/hi-IN/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "बनाई गई",
   "apiKeyModal.generateTips": "इस कुंजी को एक सुरक्षित और सुलभ स्थान पर रखें।",
   "apiKeyModal.lastUsed": "अंतिम उपयोग",
+  "apiKeyModal.scope": "दायरा",
+  "apiKeyModal.scopeAllDatasets": "सभी नॉलेज बेस",
+  "apiKeyModal.scopeBoundDataset": "एकल नॉलेज बेस",
+  "apiKeyModal.scopeThisDataset": "केवल यह नॉलेज बेस",
   "apiKeyModal.secretKey": "गुप्त कुंजी",
   "apiServer": "एपीआई सर्वर",
   "chatMode.blocking": "ब्लॉकिंग प्रकार, निष्पादन पूरा होने की प्रतीक्षा करता है और परिणाम लौटाता है। (प्रक्रिया लंबी होने पर अनुरोधों को रोका जा सकता है)",
diff --git a/web/i18n/id-ID/app-api.json b/web/i18n/id-ID/app-api.json
index 686ae2bfe2a..9938c51529f 100644
--- a/web/i18n/id-ID/app-api.json
+++ b/web/i18n/id-ID/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "DIBUAT",
   "apiKeyModal.generateTips": "Simpan kunci ini di tempat yang aman dan mudah diakses.",
   "apiKeyModal.lastUsed": "TERAKHIR DIGUNAKAN",
+  "apiKeyModal.scope": "CAKUPAN",
+  "apiKeyModal.scopeAllDatasets": "Semua basis pengetahuan",
+  "apiKeyModal.scopeBoundDataset": "Satu basis pengetahuan",
+  "apiKeyModal.scopeThisDataset": "Hanya basis pengetahuan ini",
   "apiKeyModal.secretKey": "Kunci Rahasia",
   "apiServer": "Server API",
   "chatMode.blocking": "Jenis pemblokiran, menunggu eksekusi selesai dan mengembalikan hasil. (Permintaan dapat terganggu jika prosesnya panjang)",
diff --git a/web/i18n/it-IT/app-api.json b/web/i18n/it-IT/app-api.json
index d36948d45ff..4ad603b66e7 100644
--- a/web/i18n/it-IT/app-api.json
+++ b/web/i18n/it-IT/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CREATA",
   "apiKeyModal.generateTips": "Conserva questa chiave in un luogo sicuro e accessibile.",
   "apiKeyModal.lastUsed": "ULTIMO UTILIZZO",
+  "apiKeyModal.scope": "AMBITO",
+  "apiKeyModal.scopeAllDatasets": "Tutte le basi di conoscenza",
+  "apiKeyModal.scopeBoundDataset": "Base di conoscenza singola",
+  "apiKeyModal.scopeThisDataset": "Solo questa base di conoscenza",
   "apiKeyModal.secretKey": "Chiave Segreta",
   "apiServer": "Server API",
   "chatMode.blocking": "Tipo bloccante, in attesa che l'esecuzione sia completata e restituisca i risultati. (Le richieste possono essere interrotte se il processo è lungo)",
diff --git a/web/i18n/ja-JP/app-api.json b/web/i18n/ja-JP/app-api.json
index 5260271bebf..e026808fc9f 100644
--- a/web/i18n/ja-JP/app-api.json
+++ b/web/i18n/ja-JP/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "作成日時",
   "apiKeyModal.generateTips": "このキーを安全でアクセス可能な場所に保管してください。",
   "apiKeyModal.lastUsed": "最終使用日時",
+  "apiKeyModal.scope": "スコープ",
+  "apiKeyModal.scopeAllDatasets": "すべてのナレッジベース",
+  "apiKeyModal.scopeBoundDataset": "単一のナレッジベース",
+  "apiKeyModal.scopeThisDataset": "このナレッジベースのみ",
   "apiKeyModal.secretKey": "シークレットキー",
   "apiServer": "API サーバー",
   "chatMode.blocking": "ブロッキングタイプで、実行が完了して結果が返されるまで待機します。（処理が長い場合、リクエストは中断される場合があります）",
diff --git a/web/i18n/ko-KR/app-api.json b/web/i18n/ko-KR/app-api.json
index ca7b50cb0be..e8271876542 100644
--- a/web/i18n/ko-KR/app-api.json
+++ b/web/i18n/ko-KR/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "생성 날짜",
   "apiKeyModal.generateTips": "이 키를 안전하고 접근 가능한 위치에 보관하십시오.",
   "apiKeyModal.lastUsed": "최종 사용 날짜",
+  "apiKeyModal.scope": "범위",
+  "apiKeyModal.scopeAllDatasets": "모든 지식 베이스",
+  "apiKeyModal.scopeBoundDataset": "단일 지식 베이스",
+  "apiKeyModal.scopeThisDataset": "이 지식 베이스만",
   "apiKeyModal.secretKey": "비밀 키",
   "apiServer": "API 서버",
   "chatMode.blocking": "블로킹 유형으로 실행이 완료되고 결과가 반환될 때까지 대기합니다. (처리가 오래 걸리면 요청이 중단될 수 있습니다)",
diff --git a/web/i18n/nl-NL/app-api.json b/web/i18n/nl-NL/app-api.json
index ec077174593..061d1c624a9 100644
--- a/web/i18n/nl-NL/app-api.json
+++ b/web/i18n/nl-NL/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CREATED",
   "apiKeyModal.generateTips": "Keep this key in a secure and accessible place.",
   "apiKeyModal.lastUsed": "LAST USED",
+  "apiKeyModal.scope": "BEREIK",
+  "apiKeyModal.scopeAllDatasets": "Alle kennisbanken",
+  "apiKeyModal.scopeBoundDataset": "Eén kennisbank",
+  "apiKeyModal.scopeThisDataset": "Alleen deze kennisbank",
   "apiKeyModal.secretKey": "Secret Key",
   "apiServer": "API Server",
   "chatMode.blocking": "Blocking type, waiting for execution to complete and returning results. (Requests may be interrupted if the process is long)",
diff --git a/web/i18n/pl-PL/app-api.json b/web/i18n/pl-PL/app-api.json
index 5ccf6504370..7cae4f8a49d 100644
--- a/web/i18n/pl-PL/app-api.json
+++ b/web/i18n/pl-PL/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "UTWORZONY",
   "apiKeyModal.generateTips": "Przechowuj ten klucz w bezpiecznym i dostępnym miejscu.",
   "apiKeyModal.lastUsed": "OSTATNIO UŻYWANY",
+  "apiKeyModal.scope": "ZAKRES",
+  "apiKeyModal.scopeAllDatasets": "Wszystkie bazy wiedzy",
+  "apiKeyModal.scopeBoundDataset": "Pojedyncza baza wiedzy",
+  "apiKeyModal.scopeThisDataset": "Tylko ta baza wiedzy",
   "apiKeyModal.secretKey": "Tajny Klucz",
   "apiServer": "Serwer API",
   "chatMode.blocking": "Typ blokujący, czekanie na zakończenie wykonania i zwrócenie wyników. (Żądania mogą być przerywane, jeśli proces jest długi)",
diff --git a/web/i18n/pt-BR/app-api.json b/web/i18n/pt-BR/app-api.json
index 06810b4b2af..3251d26347b 100644
--- a/web/i18n/pt-BR/app-api.json
+++ b/web/i18n/pt-BR/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CRIADA",
   "apiKeyModal.generateTips": "Mantenha esta chave em um local seguro e acessível.",
   "apiKeyModal.lastUsed": "ÚLTIMO USO",
+  "apiKeyModal.scope": "ESCOPO",
+  "apiKeyModal.scopeAllDatasets": "Todas as bases de conhecimento",
+  "apiKeyModal.scopeBoundDataset": "Base de conhecimento única",
+  "apiKeyModal.scopeThisDataset": "Apenas esta base de conhecimento",
   "apiKeyModal.secretKey": "Chave Secreta",
   "apiServer": "Servidor da API",
   "chatMode.blocking": "Tipo de bloqueio, aguardando a conclusão da execução e retornando os resultados. (As solicitações podem ser interrompidas se o processo for longo)",
diff --git a/web/i18n/ro-RO/app-api.json b/web/i18n/ro-RO/app-api.json
index ed9ef79d52a..938b779a255 100644
--- a/web/i18n/ro-RO/app-api.json
+++ b/web/i18n/ro-RO/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "CREATĂ",
   "apiKeyModal.generateTips": "Păstrați această cheie într-un loc sigur și accesibil.",
   "apiKeyModal.lastUsed": "ULTIMA UTILIZARE",
+  "apiKeyModal.scope": "DOMENIU",
+  "apiKeyModal.scopeAllDatasets": "Toate bazele de cunoștințe",
+  "apiKeyModal.scopeBoundDataset": "O singură bază de cunoștințe",
+  "apiKeyModal.scopeThisDataset": "Doar această bază de cunoștințe",
   "apiKeyModal.secretKey": "Cheie Secretă",
   "apiServer": "Server API",
   "chatMode.blocking": "Tip blocant, așteptând finalizarea execuției și returnarea rezultatelor. (Cererea poate fi întreruptă dacă procesul este lung)",
diff --git a/web/i18n/ru-RU/app-api.json b/web/i18n/ru-RU/app-api.json
index 034f70259a1..8c53fc26200 100644
--- a/web/i18n/ru-RU/app-api.json
+++ b/web/i18n/ru-RU/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "СОЗДАН",
   "apiKeyModal.generateTips": "Храните этот ключ в безопасном и доступном месте.",
   "apiKeyModal.lastUsed": "ПОСЛЕДНЕЕ ИСПОЛЬЗОВАНИЕ",
+  "apiKeyModal.scope": "ОБЛАСТЬ",
+  "apiKeyModal.scopeAllDatasets": "Все базы знаний",
+  "apiKeyModal.scopeBoundDataset": "Одна база знаний",
+  "apiKeyModal.scopeThisDataset": "Только эта база знаний",
   "apiKeyModal.secretKey": "Секретный ключ",
   "apiServer": "API Сервер",
   "chatMode.blocking": "Блокирующий тип, ожидает завершения выполнения и возвращает результаты. (Запросы могут быть прерваны, если процесс длительный)",
diff --git a/web/i18n/sl-SI/app-api.json b/web/i18n/sl-SI/app-api.json
index a40a305e5bc..0af8f3a0f30 100644
--- a/web/i18n/sl-SI/app-api.json
+++ b/web/i18n/sl-SI/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "USTVARJENO",
   "apiKeyModal.generateTips": "Hranite ta ključ na varnem in dostopnem mestu.",
   "apiKeyModal.lastUsed": "ZADNJA UPORABA",
+  "apiKeyModal.scope": "OBSEG",
+  "apiKeyModal.scopeAllDatasets": "Vse baze znanja",
+  "apiKeyModal.scopeBoundDataset": "Ena baza znanja",
+  "apiKeyModal.scopeThisDataset": "Samo ta baza znanja",
   "apiKeyModal.secretKey": "Skrivni ključ",
   "apiServer": "API Strežnik",
   "chatMode.blocking": "Vrsta blokiranja, čakanje na dokončanje izvajanja in vračanje rezultatov. (Zahteve se lahko prekinejo, če je postopek dolg)",
diff --git a/web/i18n/th-TH/app-api.json b/web/i18n/th-TH/app-api.json
index 44bcadea7d2..48726d42786 100644
--- a/web/i18n/th-TH/app-api.json
+++ b/web/i18n/th-TH/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "สร้าง",
   "apiKeyModal.generateTips": "เก็บกุญแจนี้ไว้ในที่ปลอดภัยและเข้าถึงได้",
   "apiKeyModal.lastUsed": "ใช้ล่าสุด",
+  "apiKeyModal.scope": "ขอบเขต",
+  "apiKeyModal.scopeAllDatasets": "ฐานความรู้ทั้งหมด",
+  "apiKeyModal.scopeBoundDataset": "ฐานความรู้เดียว",
+  "apiKeyModal.scopeThisDataset": "เฉพาะฐานความรู้นี้เท่านั้น",
   "apiKeyModal.secretKey": "กุญแจลับ",
   "apiServer": "เซิร์ฟเวอร์ API",
   "chatMode.blocking": "ประเภทการบล็อก รอให้การดําเนินการเสร็จสมบูรณ์และส่งคืนผลลัพธ์ (คําขออาจถูกขัดจังหวะหากกระบวนการใช้เวลานาน)",
diff --git a/web/i18n/tr-TR/app-api.json b/web/i18n/tr-TR/app-api.json
index c381ecd54e2..83f09d617af 100644
--- a/web/i18n/tr-TR/app-api.json
+++ b/web/i18n/tr-TR/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "OLUŞTURULDU",
   "apiKeyModal.generateTips": "Bu anahtarı güvenli ve erişilebilir bir yerde saklayın.",
   "apiKeyModal.lastUsed": "SON KULLANIM",
+  "apiKeyModal.scope": "KAPSAM",
+  "apiKeyModal.scopeAllDatasets": "Tüm bilgi tabanları",
+  "apiKeyModal.scopeBoundDataset": "Tek bilgi tabanı",
+  "apiKeyModal.scopeThisDataset": "Yalnızca bu bilgi tabanı",
   "apiKeyModal.secretKey": "Gizli Anahtar",
   "apiServer": "API Sunucusu",
   "chatMode.blocking": "Bloke etme tipi, yürütmenin tamamlanmasını bekleyip sonuçları döndürme. (Süreç uzun sürerse istekler kesilebilir)",
diff --git a/web/i18n/uk-UA/app-api.json b/web/i18n/uk-UA/app-api.json
index c2d72b1ab1f..ac5b99f8235 100644
--- a/web/i18n/uk-UA/app-api.json
+++ b/web/i18n/uk-UA/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "СТВОРЕНО",
   "apiKeyModal.generateTips": "Зберігайте цей ключ у безпечному та доступному місці.",
   "apiKeyModal.lastUsed": "ОСТАННЄ ВИКОРИСТАННЯ",
+  "apiKeyModal.scope": "ОБЛАСТЬ ДІЇ",
+  "apiKeyModal.scopeAllDatasets": "Усі бази знань",
+  "apiKeyModal.scopeBoundDataset": "Одна база знань",
+  "apiKeyModal.scopeThisDataset": "Лише ця база знань",
   "apiKeyModal.secretKey": "Секретний ключ",
   "apiServer": "API сервер",
   "chatMode.blocking": "Тип блокування, очікування завершення виконання та повернення результатів. (Запити можуть бути перервані, якщо процес тривалий)",
diff --git a/web/i18n/vi-VN/app-api.json b/web/i18n/vi-VN/app-api.json
index fa034c204dd..a3112962fbe 100644
--- a/web/i18n/vi-VN/app-api.json
+++ b/web/i18n/vi-VN/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "ĐÃ TẠO",
   "apiKeyModal.generateTips": "Hãy lưu giữ khóa này ở nơi an toàn và dễ tiếp cận.",
   "apiKeyModal.lastUsed": "SỬ DỤNG LẦN CUỐI",
+  "apiKeyModal.scope": "PHẠM VI",
+  "apiKeyModal.scopeAllDatasets": "Tất cả cơ sở tri thức",
+  "apiKeyModal.scopeBoundDataset": "Một cơ sở tri thức",
+  "apiKeyModal.scopeThisDataset": "Chỉ cơ sở tri thức này",
   "apiKeyModal.secretKey": "Khóa bí mật",
   "apiServer": "Máy chủ API",
   "chatMode.blocking": "Loại chặn, đợi để thực hiện hoàn tất và trả kết quả. (Yêu cầu có thể bị gián đoạn nếu quá trình kéo dài)",
diff --git a/web/i18n/zh-Hans/app-api.json b/web/i18n/zh-Hans/app-api.json
index 83257a7dae9..302c0b1a9fe 100644
--- a/web/i18n/zh-Hans/app-api.json
+++ b/web/i18n/zh-Hans/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "创建时间",
   "apiKeyModal.generateTips": "请将此密钥保存在安全且可访问的地方。",
   "apiKeyModal.lastUsed": "最后使用",
+  "apiKeyModal.scope": "范围",
+  "apiKeyModal.scopeAllDatasets": "所有知识库",
+  "apiKeyModal.scopeBoundDataset": "单个知识库",
+  "apiKeyModal.scopeThisDataset": "仅此知识库",
   "apiKeyModal.secretKey": "密钥",
   "apiServer": "API 服务器",
   "chatMode.blocking": "blocking 阻塞型，等待执行完毕后返回结果。（请求若流程较长可能会被中断）",
diff --git a/web/i18n/zh-Hant/app-api.json b/web/i18n/zh-Hant/app-api.json
index e97f4ca650e..a671ee0d83d 100644
--- a/web/i18n/zh-Hant/app-api.json
+++ b/web/i18n/zh-Hant/app-api.json
@@ -9,6 +9,10 @@
   "apiKeyModal.created": "建立時間",
   "apiKeyModal.generateTips": "請將此金鑰儲存在安全且可訪問的地方。",
   "apiKeyModal.lastUsed": "最後使用",
+  "apiKeyModal.scope": "範圍",
+  "apiKeyModal.scopeAllDatasets": "所有知識庫",
+  "apiKeyModal.scopeBoundDataset": "單一知識庫",
+  "apiKeyModal.scopeThisDataset": "僅此知識庫",
   "apiKeyModal.secretKey": "金鑰",
   "apiServer": "API 伺服器",
   "chatMode.blocking": "blocking 阻塞型，等待執行完畢後返回結果。（請求若流程較長可能會被中斷）",
diff --git a/web/models/app.ts b/web/models/app.ts
index d14dc1cd6cd..cb9ce6cbc18 100644
--- a/web/models/app.ts
+++ b/web/models/app.ts
@@ -78,6 +78,8 @@ export type UpdateAppModelConfigResponse = { result: string }
 type ApiKeyItemResponse = {
   id: string
   token: string
+  /** Dataset keys only: the bound dataset id, or null for workspace-scoped keys. */
+  dataset_id?: string | null
   last_used_at: string
   created_at: string
 }
@@ -89,6 +91,7 @@ export type ApiKeysListResponse = {
 export type CreateApiKeyResponse = {
   id: string
   token: string
+  dataset_id?: string | null
   created_at: string
 }
 
diff --git a/web/service/knowledge/use-dataset.ts b/web/service/knowledge/use-dataset.ts
index 152aea73e04..f61914d580c 100644
--- a/web/service/knowledge/use-dataset.ts
+++ b/web/service/knowledge/use-dataset.ts
@@ -178,6 +178,17 @@ export const useDatasetApiKeys = (options?: { enabled?: boolean }) => {
   })
 }
 
+// Keys that can access one dataset: keys bound to it plus workspace-scoped keys.
+export const useDatasetScopedApiKeys = (datasetId?: string, options?: { enabled?: boolean }) => {
+  return useQuery<ApiKeysListResponse>({
+    queryKey: [NAME_SPACE, 'api-keys', datasetId],
+    queryFn: () => get<ApiKeysListResponse>(`/datasets/${datasetId}/api-keys`),
+    enabled: !!datasetId && (options?.enabled ?? true),
+  })
+}
+
+// Prefix-matches both the workspace list ([NAME_SPACE, 'api-keys']) and every
+// per-dataset list ([NAME_SPACE, 'api-keys', datasetId]).
 export const useInvalidateDatasetApiKeys = () => {
   const queryClient = useQueryClient()
   return () => {

From b2703b050d18cb5df79a60d554420c9c19890c7c Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Wed, 17 Jun 2026 06:20:29 +0000
Subject: [PATCH 2/9] [autofix.ci] apply automated fixes

---
 api/openapi/markdown/console-openapi.md          |  5 +++--
 .../generated/api/console/apps/types.gen.ts      |  1 +
 .../generated/api/console/apps/zod.gen.ts        |  1 +
 .../generated/api/console/datasets/orpc.gen.ts   | 16 ++++++++--------
 .../generated/api/console/datasets/types.gen.ts  |  1 +
 .../generated/api/console/datasets/zod.gen.ts    |  1 +
 6 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/api/openapi/markdown/console-openapi.md b/api/openapi/markdown/console-openapi.md
index b413b1c0170..2048468887a 100644
--- a/api/openapi/markdown/console-openapi.md
+++ b/api/openapi/markdown/console-openapi.md
@@ -5835,7 +5835,7 @@ Check if dataset is in use
 | 200 | Dataset use status retrieved successfully | **application/json**: [UsageCheckResponse](#usagecheckresponse)<br> |
 
 ### [GET] /datasets/{resource_id}/api-keys
-**Get all API keys for a dataset**
+**Get all API keys that can access a dataset**
 
 #### Parameters
 
@@ -5850,7 +5850,7 @@ Check if dataset is in use
 | 200 | API keys retrieved successfully | **application/json**: [ApiKeyList](#apikeylist)<br> |
 
 ### [POST] /datasets/{resource_id}/api-keys
-**Create a new API key for a dataset**
+**Create a new API key bound to a single dataset**
 
 #### Parameters
 
@@ -12653,6 +12653,7 @@ Soft lifecycle state for Agent records.
 | Name | Type | Description | Required |
 | ---- | ---- | ----------- | -------- |
 | created_at | integer |  | No |
+| dataset_id | string |  | No |
 | id | string |  | Yes |
 | last_used_at | integer |  | No |
 | token | string |  | Yes |
diff --git a/packages/contracts/generated/api/console/apps/types.gen.ts b/packages/contracts/generated/api/console/apps/types.gen.ts
index 8ccf899b451..c10f85b70e5 100644
--- a/packages/contracts/generated/api/console/apps/types.gen.ts
+++ b/packages/contracts/generated/api/console/apps/types.gen.ts
@@ -1148,6 +1148,7 @@ export type ApiKeyList = {
 
 export type ApiKeyItem = {
   created_at?: number | null
+  dataset_id?: string | null
   id: string
   last_used_at?: number | null
   token: string
diff --git a/packages/contracts/generated/api/console/apps/zod.gen.ts b/packages/contracts/generated/api/console/apps/zod.gen.ts
index 556f11f5521..7a854d1483b 100644
--- a/packages/contracts/generated/api/console/apps/zod.gen.ts
+++ b/packages/contracts/generated/api/console/apps/zod.gen.ts
@@ -763,6 +763,7 @@ export const zWorkflowRestoreResponse = z.object({
  */
 export const zApiKeyItem = z.object({
   created_at: z.int().nullish(),
+  dataset_id: z.string().nullish(),
   id: z.string(),
   last_used_at: z.int().nullish(),
   token: z.string(),
diff --git a/packages/contracts/generated/api/console/datasets/orpc.gen.ts b/packages/contracts/generated/api/console/datasets/orpc.gen.ts
index a8b096168bb..038d4be61bb 100644
--- a/packages/contracts/generated/api/console/datasets/orpc.gen.ts
+++ b/packages/contracts/generated/api/console/datasets/orpc.gen.ts
@@ -1712,37 +1712,37 @@ export const byApiKeyId2 = {
 }
 
 /**
- * Get all API keys for a dataset
+ * Get all API keys that can access a dataset
  *
- * Get all API keys for a dataset
+ * Get all API keys that can access a dataset
  */
 export const get35 = oc
   .route({
-    description: 'Get all API keys for a dataset',
+    description: 'Get all API keys that can access a dataset',
     inputStructure: 'detailed',
     method: 'GET',
     operationId: 'getDatasetsByResourceIdApiKeys',
     path: '/datasets/{resource_id}/api-keys',
-    summary: 'Get all API keys for a dataset',
+    summary: 'Get all API keys that can access a dataset',
     tags: ['console'],
   })
   .input(z.object({ params: zGetDatasetsByResourceIdApiKeysPath }))
   .output(zGetDatasetsByResourceIdApiKeysResponse)
 
 /**
- * Create a new API key for a dataset
+ * Create a new API key bound to a single dataset
  *
- * Create a new API key for a dataset
+ * Create a new API key bound to a single dataset
  */
 export const post22 = oc
   .route({
-    description: 'Create a new API key for a dataset',
+    description: 'Create a new API key bound to a single dataset',
     inputStructure: 'detailed',
     method: 'POST',
     operationId: 'postDatasetsByResourceIdApiKeys',
     path: '/datasets/{resource_id}/api-keys',
     successStatus: 201,
-    summary: 'Create a new API key for a dataset',
+    summary: 'Create a new API key bound to a single dataset',
     tags: ['console'],
   })
   .input(z.object({ params: zPostDatasetsByResourceIdApiKeysPath }))
diff --git a/packages/contracts/generated/api/console/datasets/types.gen.ts b/packages/contracts/generated/api/console/datasets/types.gen.ts
index a24c6cf92ae..481a0cc5c9c 100644
--- a/packages/contracts/generated/api/console/datasets/types.gen.ts
+++ b/packages/contracts/generated/api/console/datasets/types.gen.ts
@@ -70,6 +70,7 @@ export type ApiKeyList = {
 
 export type ApiKeyItem = {
   created_at?: number | null
+  dataset_id?: string | null
   id: string
   last_used_at?: number | null
   token: string
diff --git a/packages/contracts/generated/api/console/datasets/zod.gen.ts b/packages/contracts/generated/api/console/datasets/zod.gen.ts
index 5a5f9282794..4964cce08a5 100644
--- a/packages/contracts/generated/api/console/datasets/zod.gen.ts
+++ b/packages/contracts/generated/api/console/datasets/zod.gen.ts
@@ -14,6 +14,7 @@ export const zApiBaseUrlResponse = z.object({
  */
 export const zApiKeyItem = z.object({
   created_at: z.int().nullish(),
+  dataset_id: z.string().nullish(),
   id: z.string(),
   last_used_at: z.int().nullish(),
   token: z.string(),

From 940686b731b494848680508a54ad6bc25f09a0ca Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Thu, 18 Jun 2026 14:20:18 +0900
Subject: [PATCH 3/9] fix: resolve CI failures after merging main

- Migration: rebase dataset_id migration onto current head (d2f1a4b8c3e0)
  instead of 7bad07dc267d, which had become a second head after upstream
  merged 0b2f2c8a9d1e; restores a single Alembic head.
- Integration test: capture dataset ids into locals before the commit that
  expires the instances, fixing a DetachedInstanceError in
  test_list_excludes_keys_bound_to_other_datasets.
- Web test: add the new useDatasetScopedApiKeys export to the use-dataset mock
  in api-key-management-flow.test.tsx (SecretKeyModal now calls it).
---
 ...17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py} | 6 +++---
 .../controllers/console/test_apikey.py                   | 9 +++++++--
 web/__tests__/develop/api-key-management-flow.test.tsx   | 1 +
 3 files changed, 11 insertions(+), 5 deletions(-)
 rename api/migrations/versions/{2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py => 2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py} (93%)

diff --git a/api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py b/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
similarity index 93%
rename from api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
rename to api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
index d81df685ffb..946ca379919 100644
--- a/api/migrations/versions/2026_06_10_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
+++ b/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
@@ -1,8 +1,8 @@
 """add dataset_id to api_tokens
 
 Revision ID: e4f8a2c61d35
-Revises: 7bad07dc267d
-Create Date: 2026-06-10 09:00:00.000000
+Revises: d2f1a4b8c3e0
+Create Date: 2026-06-17 09:00:00.000000
 
 Reintroduces the nullable `dataset_id` column on `api_tokens` (it was dropped in
 2e9819ca5b28 when dataset keys became tenant-scoped) to support API keys bound to
@@ -23,7 +23,7 @@ import models as models
 
 # revision identifiers, used by Alembic.
 revision = "e4f8a2c61d35"
-down_revision = "7bad07dc267d"
+down_revision = "d2f1a4b8c3e0"
 branch_labels = None
 depends_on = None
 
diff --git a/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py b/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
index d6118f06275..c289ced786e 100644
--- a/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
+++ b/api/tests/test_containers_integration_tests/controllers/console/test_apikey.py
@@ -261,6 +261,10 @@ class TestDatasetApiKeyListResource:
         db_session_with_containers: Session,
     ) -> None:
         client, headers, dataset = setup_dataset
+        # Capture ids up front: the commit below expires these instances and the
+        # subsequent request teardown detaches them, so reading dataset.id afterwards
+        # would raise DetachedInstanceError.
+        dataset_id = dataset.id
         other_dataset = Dataset(
             tenant_id=dataset.tenant_id,
             name=f"Other Dataset {uuid4()}",
@@ -272,11 +276,12 @@ class TestDatasetApiKeyListResource:
         )
         db_session_with_containers.add(other_dataset)
         db_session_with_containers.commit()
+        other_dataset_id = other_dataset.id
 
-        other_resp = client.post(f"/console/api/datasets/{other_dataset.id}/api-keys", headers=headers)
+        other_resp = client.post(f"/console/api/datasets/{other_dataset_id}/api-keys", headers=headers)
         assert other_resp.status_code == 201
 
-        resp = client.get(f"/console/api/datasets/{dataset.id}/api-keys", headers=headers)
+        resp = client.get(f"/console/api/datasets/{dataset_id}/api-keys", headers=headers)
 
         assert resp.status_code == 200
         assert resp.json is not None
diff --git a/web/__tests__/develop/api-key-management-flow.test.tsx b/web/__tests__/develop/api-key-management-flow.test.tsx
index 233e152f8fa..a14712b86d9 100644
--- a/web/__tests__/develop/api-key-management-flow.test.tsx
+++ b/web/__tests__/develop/api-key-management-flow.test.tsx
@@ -69,6 +69,7 @@ vi.mock('@/service/use-apps', () => ({
 
 vi.mock('@/service/knowledge/use-dataset', () => ({
   useDatasetApiKeys: () => ({ data: null, isLoading: false }),
+  useDatasetScopedApiKeys: () => ({ data: null, isLoading: false }),
   useInvalidateDatasetApiKeys: () => vi.fn(),
 }))
 

From 8391cf7d050a9bdf2db342a91099f0bb406054e8 Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Thu, 18 Jun 2026 17:59:54 +0900
Subject: [PATCH 4/9] fix(web): keep API key table header and rows aligned on
 scroll

The secret-key modal rendered the header and the rows in separate
containers with fixed pixel column widths. Adding the Scope column pushed
the total width past the modal, so the body scrolled horizontally on its
own and desynced from the fixed header.

Switch to proportional flex columns (header and rows share the same
weights) with min-w-0 + truncate, and constrain the body to vertical
scroll only. Columns now always fit the modal width, so the header and
values stay aligned. The scope cell gains a title tooltip for the full
label when truncated.
---
 .../develop/secret-key/secret-key-modal.tsx   | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/web/app/components/develop/secret-key/secret-key-modal.tsx b/web/app/components/develop/secret-key/secret-key-modal.tsx
index 46c61da006b..efb33c40563 100644
--- a/web/app/components/develop/secret-key/secret-key-modal.tsx
+++ b/web/app/components/develop/secret-key/secret-key-modal.tsx
@@ -157,20 +157,20 @@ const SecretKeyModal = ({
             !!apiKeysList?.data?.length && (
               <div className="mt-4 flex grow flex-col overflow-hidden">
                 <div className="flex h-9 shrink-0 items-center border-b border-divider-regular text-xs font-semibold text-text-tertiary">
-                  <div className="w-64 shrink-0 px-3">{t('apiKeyModal.secretKey', { ns: 'appApi' })}</div>
-                  {!appId && <div className="w-[180px] shrink-0 px-3">{t('apiKeyModal.scope', { ns: 'appApi' })}</div>}
-                  <div className="w-[200px] shrink-0 px-3">{t('apiKeyModal.created', { ns: 'appApi' })}</div>
-                  <div className="w-[200px] shrink-0 px-3">{t('apiKeyModal.lastUsed', { ns: 'appApi' })}</div>
-                  <div className="grow px-3"></div>
+                  <div className="min-w-0 flex-[1.8] truncate px-3">{t('apiKeyModal.secretKey', { ns: 'appApi' })}</div>
+                  {!appId && <div className="min-w-0 flex-[1.3] truncate px-3">{t('apiKeyModal.scope', { ns: 'appApi' })}</div>}
+                  <div className="min-w-0 flex-[1.8] truncate px-3">{t('apiKeyModal.created', { ns: 'appApi' })}</div>
+                  <div className="min-w-0 flex-[1.8] truncate px-3">{t('apiKeyModal.lastUsed', { ns: 'appApi' })}</div>
+                  <div className="w-20 shrink-0 px-3"></div>
                 </div>
-                <div className="grow overflow-auto">
+                <div className="grow overflow-x-hidden overflow-y-auto">
                   {apiKeysList.data.map(api => (
                     <div className="flex h-9 items-center border-b border-divider-regular text-sm font-normal text-text-secondary" key={api.id}>
-                      <div className="w-64 shrink-0 truncate px-3 font-mono">{generateToken(api.token)}</div>
-                      {!appId && <div className="w-[180px] shrink-0 truncate px-3">{getScopeLabel(api.dataset_id)}</div>}
-                      <div className="w-[200px] shrink-0 truncate px-3">{formatTime(Number(api.created_at), t('dateTimeFormat', { ns: 'appLog' }) as string)}</div>
-                      <div className="w-[200px] shrink-0 truncate px-3">{api.last_used_at ? formatTime(Number(api.last_used_at), t('dateTimeFormat', { ns: 'appLog' }) as string) : t('never', { ns: 'appApi' })}</div>
-                      <div className="flex grow space-x-2 px-3">
+                      <div className="min-w-0 flex-[1.8] truncate px-3 font-mono">{generateToken(api.token)}</div>
+                      {!appId && <div className="min-w-0 flex-[1.3] truncate px-3" title={getScopeLabel(api.dataset_id)}>{getScopeLabel(api.dataset_id)}</div>}
+                      <div className="min-w-0 flex-[1.8] truncate px-3">{formatTime(Number(api.created_at), t('dateTimeFormat', { ns: 'appLog' }) as string)}</div>
+                      <div className="min-w-0 flex-[1.8] truncate px-3">{api.last_used_at ? formatTime(Number(api.last_used_at), t('dateTimeFormat', { ns: 'appLog' }) as string) : t('never', { ns: 'appApi' })}</div>
+                      <div className="flex w-20 shrink-0 space-x-2 px-3">
                         <CopyFeedback content={api.token} />
                         {isCurrentWorkspaceManager && (
                           <ActionButton

From fdeef63c45a8e90d204f8e7c2e11b6ea685c678d Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Sun, 21 Jun 2026 00:12:31 +0900
Subject: [PATCH 5/9] test(web): add useDatasetScopedApiKeys to
 develop-page-flow mock

DevelopMain renders the SecretKeyModal, which now calls
useDatasetScopedApiKeys; the use-dataset mock in this flow test was
missing that export, causing the modal to throw at render.
---
 web/__tests__/develop/develop-page-flow.test.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/__tests__/develop/develop-page-flow.test.tsx b/web/__tests__/develop/develop-page-flow.test.tsx
index 4c4bcd0f064..f2360aa7455 100644
--- a/web/__tests__/develop/develop-page-flow.test.tsx
+++ b/web/__tests__/develop/develop-page-flow.test.tsx
@@ -84,6 +84,7 @@ vi.mock('@/service/use-apps', () => ({
 
 vi.mock('@/service/knowledge/use-dataset', () => ({
   useDatasetApiKeys: () => ({ data: null, isLoading: false }),
+  useDatasetScopedApiKeys: () => ({ data: null, isLoading: false }),
   useInvalidateDatasetApiKeys: () => vi.fn(),
 }))
 

From c153cd19cca5fd05a8780af3dfe1cb7439bf6156 Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Tue, 23 Jun 2026 09:29:03 +0000
Subject: [PATCH 6/9] [autofix.ci] apply automated fixes

---
 packages/contracts/generated/api/console/agent/types.gen.ts | 1 +
 packages/contracts/generated/api/console/agent/zod.gen.ts   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/packages/contracts/generated/api/console/agent/types.gen.ts b/packages/contracts/generated/api/console/agent/types.gen.ts
index aa21f2ce651..6d647d6add4 100644
--- a/packages/contracts/generated/api/console/agent/types.gen.ts
+++ b/packages/contracts/generated/api/console/agent/types.gen.ts
@@ -101,6 +101,7 @@ export type ApiKeyList = {
 
 export type ApiKeyItem = {
   created_at?: number | null
+  dataset_id?: string | null
   id: string
   last_used_at?: number | null
   token: string
diff --git a/packages/contracts/generated/api/console/agent/zod.gen.ts b/packages/contracts/generated/api/console/agent/zod.gen.ts
index cb4107f2d53..237be1a319d 100644
--- a/packages/contracts/generated/api/console/agent/zod.gen.ts
+++ b/packages/contracts/generated/api/console/agent/zod.gen.ts
@@ -34,6 +34,7 @@ export const zAgentApiStatusPayload = z.object({
  */
 export const zApiKeyItem = z.object({
   created_at: z.int().nullish(),
+  dataset_id: z.string().nullish(),
   id: z.string(),
   last_used_at: z.int().nullish(),
   token: z.string(),

From 30d5e4987cf6871a43f48d9a9e67523092539eef Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Tue, 23 Jun 2026 18:32:22 +0900
Subject: [PATCH 7/9] fix(migration): re-point dataset_id migration onto new
 head c8f4a6b2d3e1

Merging main again brought new upstream migrations, making our migration
a second head. Chain it after the current head (c8f4a6b2d3e1) to restore
a single Alembic head.
---
 ...26_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py b/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
index aaa2f902c46..161961da4aa 100644
--- a/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
+++ b/api/migrations/versions/2026_06_17_0900-e4f8a2c61d35_add_dataset_id_to_api_tokens.py
@@ -1,7 +1,7 @@
 """add dataset_id to api_tokens
 
 Revision ID: e4f8a2c61d35
-Revises: 4f7b2c8d9a10
+Revises: c8f4a6b2d3e1
 Create Date: 2026-06-17 09:00:00.000000
 
 Reintroduces the nullable `dataset_id` column on `api_tokens` (it was dropped in
@@ -23,7 +23,7 @@ import models as models
 
 # revision identifiers, used by Alembic.
 revision = "e4f8a2c61d35"
-down_revision = "4f7b2c8d9a10"
+down_revision = "c8f4a6b2d3e1"
 branch_labels = None
 depends_on = None
 

From a79bc7d074eef0ecaea7e90c95006934db68c953 Mon Sep 17 00:00:00 2001
From: yungle246 <yungle246@gmail.com>
Date: Thu, 25 Jun 2026 14:21:38 +0900
Subject: [PATCH 8/9] feat(api): mask secret tokens in api-key list responses
 (reveal-once)

Previously the console api-key list returned every key's full plaintext
token, so anyone with console access could retrieve the secret of an
already-created key (via the copy button or the raw API response). This
is contrary to the reveal-once norm.

- List endpoints (app keys, workspace dataset keys, per-dataset keys) now
  return a masked token (prefix + last 4); the full secret is only ever
  returned by the create endpoint, at creation time.
- Frontend secret-key modal displays the masked token as-is and drops the
  copy affordance for existing keys (copying a masked value is pointless).

Applies to both app and dataset keys since they share the modal and the
ApiKeyItem response model.
---
 api/controllers/console/apikey.py             | 27 ++++++++++++-
 api/controllers/console/datasets/datasets.py  |  4 +-
 .../console/datasets/test_datasets.py         |  9 +++--
 .../controllers/console/test_apikey.py        | 38 +++++++++++++++++--
 .../__tests__/secret-key-modal.spec.tsx       | 34 ++++++++---------
 .../develop/secret-key/secret-key-modal.tsx   | 14 +++----
 6 files changed, 89 insertions(+), 37 deletions(-)

diff --git a/api/controllers/console/apikey.py b/api/controllers/console/apikey.py
index 7f6879754ad..2bd050464f9 100644
--- a/api/controllers/console/apikey.py
+++ b/api/controllers/console/apikey.py
@@ -1,3 +1,4 @@
+from collections.abc import Iterable
 from datetime import datetime
 from typing import override
 from uuid import UUID
@@ -58,6 +59,28 @@ class ApiKeyList(ResponseModel):
 register_response_schema_models(console_ns, ApiKeyItem, ApiKeyList)
 
 
+def mask_api_token(token: str) -> str:
+    """Mask a secret token for list responses.
+
+    Reveal-once: the full secret is only returned by the create endpoint. List
+    endpoints expose just enough (prefix + last 4) to identify a key, never the
+    full value, so an existing key's secret cannot be retrieved after creation.
+    """
+    if len(token) <= 8:
+        return "***"
+    return f"{token[:5]}...{token[-4:]}"
+
+
+def build_masked_api_key_list(api_tokens: Iterable[ApiToken]) -> ApiKeyList:
+    """Build an ApiKeyList from ORM tokens with their secrets masked."""
+    items: list[ApiKeyItem] = []
+    for api_token in api_tokens:
+        item = ApiKeyItem.model_validate(api_token, from_attributes=True)
+        item.token = mask_api_token(item.token)
+        items.append(item)
+    return ApiKeyList(data=items)
+
+
 def _get_resource(resource_id, tenant_id, resource_model):
     with sessionmaker(db.engine).begin() as session:
         resource = session.execute(
@@ -91,7 +114,7 @@ class BaseApiKeyListResource(Resource):
                 ApiToken.type == self.resource_type, getattr(ApiToken, self.resource_id_field) == resource_id
             )
         ).all()
-        return ApiKeyList.model_validate({"data": keys}, from_attributes=True)
+        return build_masked_api_key_list(keys)
 
     @edit_permission_required
     def post(self, resource_id: str, current_tenant_id: str) -> tuple[dict[str, object], int]:
@@ -258,7 +281,7 @@ class DatasetApiKeyListResource(BaseApiKeyListResource):
                 or_(ApiToken.dataset_id == resource_id, ApiToken.dataset_id.is_(None)),
             )
         ).all()
-        return ApiKeyList.model_validate({"data": keys}, from_attributes=True)
+        return build_masked_api_key_list(keys)
 
     @console_ns.doc("create_dataset_api_key")
     @console_ns.doc(description="Create a new API key bound to a single dataset")
diff --git a/api/controllers/console/datasets/datasets.py b/api/controllers/console/datasets/datasets.py
index 55bc85483d5..22259611c78 100644
--- a/api/controllers/console/datasets/datasets.py
+++ b/api/controllers/console/datasets/datasets.py
@@ -13,7 +13,7 @@ from configs import dify_config
 from controllers.common.fields import ApiBaseUrlResponse, SimpleResultResponse, UsageCheckResponse
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.apikey import ApiKeyItem, ApiKeyList
+from controllers.console.apikey import ApiKeyItem, ApiKeyList, build_masked_api_key_list
 from controllers.console.app.error import ProviderNotInitializeError
 from controllers.console.datasets.error import DatasetInUseError, DatasetNameDuplicateError, IndexingEstimateError
 from controllers.console.wraps import (
@@ -1007,7 +1007,7 @@ class DatasetApiKeyApi(Resource):
         keys = db.session.scalars(
             select(ApiToken).where(ApiToken.type == self.resource_type, ApiToken.tenant_id == current_tenant_id)
         ).all()
-        return ApiKeyList.model_validate({"data": keys}, from_attributes=True).model_dump(mode="json")
+        return build_masked_api_key_list(keys).model_dump(mode="json")
 
     @console_ns.response(200, "API key created successfully", console_ns.models[ApiKeyItem.__name__])
     @console_ns.response(400, "Maximum keys exceeded")
diff --git a/api/tests/unit_tests/controllers/console/datasets/test_datasets.py b/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
index a4ac0af21c8..a2b1744cafc 100644
--- a/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
+++ b/api/tests/unit_tests/controllers/console/datasets/test_datasets.py
@@ -1759,14 +1759,14 @@ class TestDatasetApiKeyApi:
         mock_key_1.id = "key-1"
         mock_key_1.type = "dataset"
         mock_key_1.dataset_id = None
-        mock_key_1.token = "ds-abc"
+        mock_key_1.token = "dataset-aaaa1111bbbb"
         mock_key_1.last_used_at = None
         mock_key_1.created_at = None
         mock_key_2 = MagicMock(spec=ApiToken)
         mock_key_2.id = "key-2"
         mock_key_2.type = "dataset"
         mock_key_2.dataset_id = None
-        mock_key_2.token = "ds-def"
+        mock_key_2.token = "dataset-cccc2222dddd"
         mock_key_2.last_used_at = None
         mock_key_2.created_at = None
 
@@ -1781,10 +1781,11 @@ class TestDatasetApiKeyApi:
 
         assert "data" in response
         assert len(response["data"]) == 2
+        # reveal-once: the list returns masked tokens, never the full secret
         assert response["data"][0]["id"] == "key-1"
-        assert response["data"][0]["token"] == "ds-abc"
+        assert response["data"][0]["token"] == "datas...bbbb"
         assert response["data"][1]["id"] == "key-2"
-        assert response["data"][1]["token"] == "ds-def"
+        assert response["data"][1]["token"] == "datas...dddd"
 
     def test_post_create_api_key_success(self, app: Flask):
         api = DatasetApiKeyApi()
diff --git a/api/tests/unit_tests/controllers/console/test_apikey.py b/api/tests/unit_tests/controllers/console/test_apikey.py
index 803fbfaef8d..06fa7a62d70 100644
--- a/api/tests/unit_tests/controllers/console/test_apikey.py
+++ b/api/tests/unit_tests/controllers/console/test_apikey.py
@@ -9,7 +9,13 @@ from unittest.mock import patch
 import pytest
 from werkzeug.exceptions import Forbidden
 
-from controllers.console.apikey import BaseApiKeyListResource, BaseApiKeyResource, DatasetApiKeyListResource
+from controllers.console.apikey import (
+    BaseApiKeyListResource,
+    BaseApiKeyResource,
+    DatasetApiKeyListResource,
+    build_masked_api_key_list,
+    mask_api_token,
+)
 from models import Account
 from models.account import AccountStatus, TenantAccountRole
 from models.dataset import Dataset
@@ -45,12 +51,37 @@ def _make_account(role: TenantAccountRole) -> Account:
     return account
 
 
+def test_mask_api_token_reveals_only_a_fragment() -> None:
+    # full secret must never be reproducible from the masked value
+    masked = mask_api_token("dataset-mqxAkpML14jRmgsb6Z7DBnVq")
+    assert masked == "datas...BnVq"
+    assert "mqxAkpML" not in masked
+    # very short tokens are fully hidden
+    assert mask_api_token("short") == "***"
+
+
+def test_build_masked_api_key_list_masks_every_token() -> None:
+    keys = [
+        SimpleNamespace(
+            id="key-1",
+            type=ApiTokenType.DATASET,
+            token="dataset-aaaabbbbccccdddd",
+            dataset_id="ds-1",
+            last_used_at=None,
+            created_at=None,
+        ),
+    ]
+    result = build_masked_api_key_list(keys)
+    assert result.data[0].token == "datas...dddd"
+    assert result.data[0].dataset_id == "ds-1"
+
+
 def test_list_api_keys_uses_injected_tenant_id() -> None:
     resource = _make_list_resource()
     api_key = SimpleNamespace(
         id="key-1",
         type=ApiTokenType.APP,
-        token="app-token",
+        token="app-1234567890abcdef",
         last_used_at=None,
         created_at=None,
     )
@@ -68,8 +99,9 @@ def test_list_api_keys_uses_injected_tenant_id() -> None:
         "data": [
             {
                 "id": "key-1",
+                # reveal-once: the list never returns the full secret, only a masked fragment
                 "type": "app",
-                "token": "app-token",
+                "token": "app-1...cdef",
                 "dataset_id": None,
                 "last_used_at": None,
                 "created_at": None,
diff --git a/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx b/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
index a675bf7bb31..9344011c602 100644
--- a/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
+++ b/web/app/components/develop/secret-key/__tests__/secret-key-modal.spec.tsx
@@ -177,7 +177,7 @@ describe('SecretKeyModal', () => {
 
     it('should render API keys when available', async () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
-      expect(screen.getByText('sk-...k-abc123def456ghi789')).toBeInTheDocument()
+      expect(screen.getByText('sk-abc123def456ghi789')).toBeInTheDocument()
     })
 
     it('should render created time for keys', async () => {
@@ -236,7 +236,7 @@ describe('SecretKeyModal', () => {
 
     it('should render dataset API keys when no appId', async () => {
       await renderModal(<SecretKeyModal {...defaultProps} />)
-      expect(screen.getByText('dk-...k-abc123def456ghi789')).toBeInTheDocument()
+      expect(screen.getByText('dk-abc123def456ghi789')).toBeInTheDocument()
     })
   })
 
@@ -445,14 +445,14 @@ describe('SecretKeyModal', () => {
     it('should render delete button for permitted users', async () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
-      const actionButtons = screen.getAllByRole('button')
-      expect(actionButtons.length).toBeGreaterThanOrEqual(3)
+      const actionButtons = document.body.querySelectorAll('button.action-btn')
+      expect(actionButtons.length).toBeGreaterThanOrEqual(1)
     })
 
     it('should render API key row with actions', async () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
-      expect(screen.getByText('sk-...k-abc123def456ghi789')).toBeInTheDocument()
+      expect(screen.getByText('sk-abc123def456ghi789')).toBeInTheDocument()
     })
 
     it('should have action buttons in the key row', async () => {
@@ -475,7 +475,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       expect(deleteButton).toBeInTheDocument()
 
       await act(async () => {
@@ -495,7 +495,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -525,7 +525,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -552,7 +552,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -581,7 +581,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -617,7 +617,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -652,7 +652,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} datasetId="dataset-123" />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -697,7 +697,7 @@ describe('SecretKeyModal', () => {
       await renderModal(<SecretKeyModal {...defaultProps} />)
 
       const actionButtons = document.body.querySelectorAll('button.action-btn')
-      const deleteButton = actionButtons[1]
+      const deleteButton = actionButtons[0]
       await act(async () => {
         await user.click(deleteButton!)
         vi.runAllTimers()
@@ -720,16 +720,16 @@ describe('SecretKeyModal', () => {
     })
   })
 
-  describe('token truncation', () => {
-    it('should truncate token correctly', async () => {
+  describe('token display', () => {
+    it('should display the token exactly as provided by the API (no client-side reveal)', async () => {
       const apiKeys = [
-        { id: 'key-1', token: 'sk-abcdefghijklmnopqrstuvwxyz1234567890', created_at: 1700000000, last_used_at: null },
+        { id: 'key-1', token: 'sk-...7890', created_at: 1700000000, last_used_at: null },
       ]
       mockAppApiKeysData.mockReturnValue({ data: apiKeys })
 
       await renderModal(<SecretKeyModal {...defaultProps} appId="app-123" />)
 
-      expect(screen.getByText('sk-...qrstuvwxyz1234567890')).toBeInTheDocument()
+      expect(screen.getByText('sk-...7890')).toBeInTheDocument()
     })
   })
 
diff --git a/web/app/components/develop/secret-key/secret-key-modal.tsx b/web/app/components/develop/secret-key/secret-key-modal.tsx
index e30c0cc84ba..a6e842e5825 100644
--- a/web/app/components/develop/secret-key/secret-key-modal.tsx
+++ b/web/app/components/develop/secret-key/secret-key-modal.tsx
@@ -19,7 +19,6 @@ import {
 } from 'react'
 import { useTranslation } from 'react-i18next'
 import ActionButton from '@/app/components/base/action-button'
-import CopyFeedback from '@/app/components/base/copy-feedback'
 import Loading from '@/app/components/base/loading'
 import { useAppContext } from '@/context/app-context'
 import useTimestamp from '@/hooks/use-timestamp'
@@ -122,10 +121,6 @@ const SecretKeyModal = ({
       : t('apiKeyModal.scopeBoundDataset', { ns: 'appApi' })
   }
 
-  const generateToken = (token: string) => {
-    return `${token.slice(0, 3)}...${token.slice(-20)}`
-  }
-
   const handleDeleteConfirmOpenChange = (open: boolean) => {
     if (open)
       return
@@ -154,7 +149,9 @@ const SecretKeyModal = ({
           </DialogTitle>
 
           <div className="-mt-6 -mr-2 mb-4 flex justify-end">
-            <span className="i-heroicons-x-mark-20-solid size-6 cursor-pointer text-text-tertiary" onClick={handleClose} />
+            <button type="button" aria-label={t('operation.cancel', { ns: 'common' })} className="border-none bg-transparent p-0 text-text-tertiary" onClick={handleClose}>
+              <span className="i-heroicons-x-mark-20-solid size-6 cursor-pointer" />
+            </button>
           </div>
           <p className="mt-1 shrink-0 text-[13px] leading-5 font-normal text-text-tertiary">{t('apiKeyModal.apiSecretKeyTips', { ns: 'appApi' })}</p>
           {isApiKeysLoading && <div className="mt-4"><Loading /></div>}
@@ -171,12 +168,11 @@ const SecretKeyModal = ({
                 <div className="grow overflow-x-hidden overflow-y-auto">
                   {apiKeysList.data.map(api => (
                     <div className="flex h-9 items-center border-b border-divider-regular text-sm font-normal text-text-secondary" key={api.id}>
-                      <div className="min-w-0 flex-[1.8] truncate px-3 font-mono">{generateToken(api.token)}</div>
+                      <div className="min-w-0 flex-[1.8] truncate px-3 font-mono">{api.token}</div>
                       {!appId && <div className="min-w-0 flex-[1.3] truncate px-3" title={getScopeLabel(api.dataset_id)}>{getScopeLabel(api.dataset_id)}</div>}
                       <div className="min-w-0 flex-[1.8] truncate px-3">{formatTime(Number(api.created_at), t('dateTimeFormat', { ns: 'appLog' }) as string)}</div>
                       <div className="min-w-0 flex-[1.8] truncate px-3">{api.last_used_at ? formatTime(Number(api.last_used_at), t('dateTimeFormat', { ns: 'appLog' }) as string) : t('never', { ns: 'appApi' })}</div>
-                      <div className="flex w-20 shrink-0 space-x-2 px-3">
-                        <CopyFeedback content={api.token} />
+                      <div className="flex w-20 shrink-0 justify-end space-x-2 px-3">
                         {canManage && (
                           <ActionButton
                             onClick={() => {

From d3c62d96481df27d22a07f86b9cc472a895a092c Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 05:26:24 +0000
Subject: [PATCH 9/9] [autofix.ci] apply automated fixes

---
 eslint-suppressions.json | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/eslint-suppressions.json b/eslint-suppressions.json
index a9975b4476e..5c849574f34 100644
--- a/eslint-suppressions.json
+++ b/eslint-suppressions.json
@@ -3492,14 +3492,6 @@
       "count": 2
     }
   },
-  "web/app/components/develop/secret-key/secret-key-modal.tsx": {
-    "jsx-a11y/click-events-have-key-events": {
-      "count": 1
-    },
-    "jsx-a11y/no-static-element-interactions": {
-      "count": 1
-    }
-  },
   "web/app/components/explore/banner/__tests__/indicator-button.spec.tsx": {
     "jsx-a11y/click-events-have-key-events": {
       "count": 1