Just a handful of misc feature requests related to API tokens, I’m guessing many are already known. All “nice-to-have”.
1. Re-identifying tokens
Make it possible to re-identify keys in the dashboard, eg show the last few bits of the key “••••b33f”. Helpful when you didn’t create distinguishing enough key comments. (Mint larger/longer keys to compensate for the revealed entropy, I guess).
2. Consolidate/hide “fly ui” tokens
Somehow I’ve got a couple dozen “fly ui” tokens in my panel now. Doubt anyone needs granular control over these, maybe just a “log out other dashboard sessions” button…?
3. Record & show “last used” by key
Always nice when you can see when a platform last observed a key - helpful in periodic audits & cleanup (“eh, hasn’t been used in months - let’s delete it, unlikely to break prod”). Bonus points for IP and user-agent here.
4. Be an oauth provider
It’d be great if instead of prompting a customer to vend an API token, we could thunk folks over to fly.io for one, similar to how GitHub etc work. Saves the copy/paste, and as a bonus gives Fly some addl controls and visibility into api integrations (e.g. see how many instances of an app there are, rate limit all of $BAD_APP’s keys differently, etc).
5. Permission scopes
Have to imagine you’re working on it. Most useful scopes to me would be (a) org-level (limit to specific org), (b) r/o vs r/w. Just don’t create another aws IAM maze… 
cheers!