New-key page shows the key but no instructions on how to use it (Bearer header)

[SyniRon]

Summary

When a user generates or rotates an API key, the cav7_api_key_account_newkey template displays the raw cav7_… key in a readonly box but gives no instructions on how to send it to the API. Users don't know they must use Authorization: Bearer cav7_…, and several
have hit a wall of 401s as a result (sending the raw key with no scheme, or pasting the truncated prefix… preview from the ACP instead of the full key).

Current template

_data/templates.xml → cav7_api_key_account_newkey:

<xf:textboxrow label="Your API Key"
    name="_cav7_key_display"
    value="{$rawKey}"
    inputclass="input--mono"
    readonly="true"
    explain="Store this somewhere safe — it cannot be retrieved again." />

Proposed fix

Add a short usage example beneath the key, e.g.:

Send this key in the Authorization header of each request:

    Authorization: Bearer cav7_<your key>

Example:
    curl -H "Authorization: Bearer cav7_xxxxxxxx" https://<api-host>/api/v1/milpacs/awol

Emphasize that the full cav7_-prefixed value must be used (not the prefix… preview shown on the key list / ACP), and that the Bearer scheme is required.

Acceptance

• The new-key page shows a copyable example of the Authorization: Bearer cav7_… header.
• It's clear the full key (with cav7_ prefix) is required.

Related

Companion issue in 7cav/api to switch the OpenAPI security scheme to type: http / scheme: bearer so Swagger UI prepends Bearer automatically.