With regards to secret scanning, a shout-out to the "secret-token" URI scheme <a href="https://datatracker.ietf.org/doc/html/rfc8959" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc8959</a><p>Also, in addition to showing the creation date of the API key, I find it super friendly if it is possible to name the API key (and/or add a note to it).
Regarding retrievable vs. irretrievable, I think is a matter of who do you delegate the ownership of the security. Using Irretrievable, you are transferring that to your users, which in a lot of scenarios just store them in plain text in non secure places.<p>I think having the chance to retrieve the api keys gives a much better Developer Experience to your consumers.
Author of the article here - look forward to any discussion here. Curious how many folks have already implemented something like this themselves... did you make different decisions?