From e82fa3b9a5c282b9022a3786b2fc8cbe76dfaead Mon Sep 17 00:00:00 2001
From: Nathan Flurry <git@nathanflurry.com>
Date: Sun, 30 Nov 2025 17:36:10 -0800
Subject: [PATCH 1/2] feat: api keys

---
 frontend/src/app/user-dropdown.tsx | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/frontend/src/app/user-dropdown.tsx b/frontend/src/app/user-dropdown.tsx
index 1e8d7a70fc..20aec6e7a3 100644
--- a/frontend/src/app/user-dropdown.tsx
+++ b/frontend/src/app/user-dropdown.tsx
@@ -77,6 +77,18 @@ export function UserDropdown() {
 						Tokens
 					</DropdownMenuItem>
 				) : null}
+				{isMatchingProjectRoute ? (
+					<DropdownMenuItem
+						onSelect={() => {
+							navigate({
+								to: ".",
+								search: (old) => ({ ...old, modal: "api-keys" }),
+							});
+						}}
+					>
+						API Keys
+					</DropdownMenuItem>
+				) : null}
 				{clerk.organization ? (
 					<DropdownMenuItem
 						onSelect={() => {

From bc1efb9b6552c4a620bf9c1d86abc7ff453a5f0c Mon Sep 17 00:00:00 2001
From: Nathan Flurry <git@nathanflurry.com>
Date: Sun, 30 Nov 2025 01:22:42 -0800
Subject: [PATCH 2/2] feat(frontend): create api key

---
 frontend/.env                                 |   2 +-
 frontend/package.json                         |   2 +-
 .../data-providers/cloud-data-provider.tsx    |  47 ++
 frontend/src/app/dialogs/api-tokens-frame.tsx | 170 ++++++
 .../app/dialogs/create-api-token-frame.tsx    | 127 ++++
 frontend/src/app/dialogs/tokens-frame.tsx     | 134 ++++-
 .../src/app/forms/create-api-token-form.tsx   |  98 ++++
 frontend/src/app/layout.tsx                   |  26 +-
 .../src/app/publishable-token-code-group.tsx  | 165 ++++++
 frontend/src/app/use-dialog.tsx               |   4 +
 frontend/src/app/user-dropdown.tsx            |  24 -
 .../src/components/actors/data-provider.tsx   |  28 +-
 frontend/src/queries/utils.ts                 |   2 +-
 frontend/src/routeTree.gen.ts                 |  26 +
 frontend/src/routes/_context/_cloud.tsx       |  18 -
 .../ns.$namespace/connect.tsx                 | 216 +------
 .../ns.$namespace/tokens.tsx                  | 546 ++++++++++++++++++
 pnpm-lock.yaml                                |  10 +-
 18 files changed, 1362 insertions(+), 283 deletions(-)
 create mode 100644 frontend/src/app/dialogs/api-tokens-frame.tsx
 create mode 100644 frontend/src/app/dialogs/create-api-token-frame.tsx
 create mode 100644 frontend/src/app/forms/create-api-token-form.tsx
 create mode 100644 frontend/src/app/publishable-token-code-group.tsx
 create mode 100644 frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx

diff --git a/frontend/.env b/frontend/.env
index 195dbc717d..a01f6ea33f 100644
--- a/frontend/.env
+++ b/frontend/.env
@@ -1,5 +1,5 @@
 VITE_APP_API_URL=http://localhost:43708/api
-VITE_APP_CLOUD_API_URL=http://localhost:43708/api
+VITE_APP_CLOUD_API_URL=http://localhost:3000
 VITE_APP_ASSETS_URL=https://assets2.rivet.gg
 VITE_APP_CLERK_PUBLISHABLE_KEY=pk_test_Zmlyc3QtZG9ua2V5LTQuY2xlcmsuYWNjb3VudHMuZGV2JA
 VITE_APP_SENTRY_DSN="https://66a566505cfb4341732a3d350f2b87e2@o4504307129188352.ingest.sentry.io/4506435887366144"
diff --git a/frontend/package.json b/frontend/package.json
index 111eb521dd..633ef73254 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -57,7 +57,7 @@
 		"@radix-ui/react-toggle-group": "^1.1.11",
 		"@radix-ui/react-tooltip": "^1.2.8",
 		"@radix-ui/react-visually-hidden": "^1.2.3",
-		"@rivet-gg/cloud": "https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@bf2ebb2",
+		"@rivet-gg/cloud": "https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c",
 		"@rivet-gg/icons": "workspace:*",
 		"@rivetkit/engine-api-full": "workspace:*",
 		"@sentry/react": "^8.55.0",
diff --git a/frontend/src/app/data-providers/cloud-data-provider.tsx b/frontend/src/app/data-providers/cloud-data-provider.tsx
index 74591ac66c..27d30568c9 100644
--- a/frontend/src/app/data-providers/cloud-data-provider.tsx
+++ b/frontend/src/app/data-providers/cloud-data-provider.tsx
@@ -330,6 +330,53 @@ export const createProjectContext = ({
 				},
 			});
 		},
+		// API Token methods
+		apiTokensQueryOptions() {
+			return queryOptions({
+				queryKey: [{ organization, project }, "api-tokens"],
+				queryFn: async ({ signal: abortSignal }) => {
+					const response = await client.apiTokens.list(
+						project,
+						{ org: organization },
+						{ abortSignal },
+					);
+					return response;
+				},
+			});
+		},
+		createApiTokenMutationOptions(opts?: {
+			onSuccess?: (data: Rivet.CreateApiTokenResponse) => void;
+		}) {
+			return {
+				mutationKey: [{ organization, project }, "api-tokens", "create"],
+				mutationFn: async (data: {
+					name: string;
+					expiresAt?: string;
+				}) => {
+					const response = await client.apiTokens.create(project, {
+						name: data.name,
+						expiresAt: data.expiresAt,
+						org: organization,
+					});
+					return response;
+				},
+				onSuccess: opts?.onSuccess,
+			};
+		},
+		revokeApiTokenMutationOptions(opts?: { onSuccess?: () => void }) {
+			return {
+				mutationKey: [{ organization, project }, "api-tokens", "revoke"],
+				mutationFn: async (data: { apiTokenId: string }) => {
+					const response = await client.apiTokens.revoke(
+						project,
+						data.apiTokenId,
+						{ org: organization },
+					);
+					return response;
+				},
+				onSuccess: opts?.onSuccess,
+			};
+		},
 	};
 };
 
diff --git a/frontend/src/app/dialogs/api-tokens-frame.tsx b/frontend/src/app/dialogs/api-tokens-frame.tsx
new file mode 100644
index 0000000000..33efc69f7c
--- /dev/null
+++ b/frontend/src/app/dialogs/api-tokens-frame.tsx
@@ -0,0 +1,170 @@
+import { faPlus, faQuestionCircle, faTrash, Icon } from "@rivet-gg/icons";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useRouteContext } from "@tanstack/react-router";
+import { HelpDropdown } from "@/app/help-dropdown";
+import {
+	Button,
+	type DialogContentProps,
+	Frame,
+	Skeleton,
+	Table,
+	TableBody,
+	TableCell,
+	TableHead,
+	TableHeader,
+	TableRow,
+} from "@/components";
+import { queryClient } from "@/queries/global";
+import { useDialog } from "@/app/use-dialog";
+
+interface ApiTokensFrameContentProps extends DialogContentProps {}
+
+export default function ApiTokensFrameContent({
+	onClose,
+}: ApiTokensFrameContentProps) {
+	const { dataProvider } = useRouteContext({
+		from: "/_context/_cloud/orgs/$organization/projects/$project",
+	});
+
+	const { data, isLoading } = useQuery(dataProvider.apiTokensQueryOptions());
+
+	const { open: openCreateApiToken, dialog: createApiTokenDialog } =
+		useDialog.CreateApiToken({});
+
+	return (
+		<>
+			<Frame.Header>
+				<Frame.Title className="gap-2 flex items-center">
+						<div>Cloud API Tokens</div>
+					<HelpDropdown>
+						<Button variant="ghost" size="icon">
+							<Icon icon={faQuestionCircle} />
+						</Button>
+					</HelpDropdown>
+				</Frame.Title>
+				<Frame.Description>
+					Cloud API tokens provide programmatic access to the Rivet Cloud API. Keep
+					them secure and never share them publicly.
+				</Frame.Description>
+			</Frame.Header>
+			<Frame.Content>
+				{isLoading ? (
+					<div className="space-y-2">
+						<Skeleton className="w-full h-12" />
+						<Skeleton className="w-full h-12" />
+						<Skeleton className="w-full h-12" />
+					</div>
+				) : (
+					<Table>
+						<TableHeader>
+							<TableRow>
+								<TableHead>Name</TableHead>
+								<TableHead>Token</TableHead>
+								<TableHead>Created</TableHead>
+								<TableHead>Expires</TableHead>
+								<TableHead w="min" />
+							</TableRow>
+						</TableHeader>
+						<TableBody>
+							{data?.apiTokens.length === 0 ? (
+								<TableRow>
+									<TableCell colSpan={5} className="text-center py-8 text-muted-foreground">
+										No Cloud API tokens yet. Create one to get started.
+									</TableCell>
+								</TableRow>
+							) : (
+								data?.apiTokens.map((apiToken) => (
+									<ApiTokenRow
+										key={apiToken.id}
+										apiToken={apiToken}
+										dataProvider={dataProvider}
+									/>
+								))
+							)}
+							<TableRow>
+								<TableCell colSpan={5}>
+									<Button
+										variant="outline"
+										onClick={() => openCreateApiToken()}
+										startIcon={<Icon icon={faPlus} />}
+										className="w-full"
+									>
+										Create Cloud API Token
+									</Button>
+								</TableCell>
+							</TableRow>
+						</TableBody>
+					</Table>
+				)}
+			</Frame.Content>
+			<Frame.Footer>
+				<Button variant="secondary" onClick={onClose}>
+					Close
+				</Button>
+			</Frame.Footer>
+			{createApiTokenDialog}
+		</>
+	);
+}
+
+interface ApiTokenRowProps {
+	apiToken: {
+		id: string;
+		name: string;
+		createdAt: string;
+		expiresAt?: string;
+		revoked: boolean;
+		lastFourChars: string;
+	};
+	dataProvider: ReturnType<
+		typeof useRouteContext<"/_context/_cloud/orgs/$organization/projects/$project">
+	>["dataProvider"];
+}
+
+function ApiTokenRow({ apiToken, dataProvider }: ApiTokenRowProps) {
+	const { mutate: revoke, isPending } = useMutation(
+		dataProvider.revokeApiTokenMutationOptions({
+			onSuccess: async () => {
+				await queryClient.invalidateQueries(
+					dataProvider.apiTokensQueryOptions(),
+				);
+			},
+		}),
+	);
+
+	const createdDate = new Date(apiToken.createdAt).toLocaleDateString();
+	const expiresDate = apiToken.expiresAt
+		? new Date(apiToken.expiresAt).toLocaleDateString()
+		: "Never";
+
+	return (
+		<TableRow className={apiToken.revoked ? "opacity-50" : ""}>
+			<TableCell>{apiToken.name}</TableCell>
+			<TableCell>
+				<code className="text-xs bg-muted px-2 py-1 rounded">
+					cloud_api_...{apiToken.lastFourChars}
+				</code>
+			</TableCell>
+			<TableCell>{createdDate}</TableCell>
+			<TableCell>{expiresDate}</TableCell>
+			<TableCell>
+				{!apiToken.revoked && (
+					<Button
+						variant="destructive"
+						size="sm"
+						isLoading={isPending}
+						onClick={() => {
+							revoke({ apiTokenId: apiToken.id });
+						}}
+					>
+						<Icon icon={faTrash} className="mr-1" />
+						Revoke
+					</Button>
+				)}
+				{apiToken.revoked && (
+					<span className="text-muted-foreground text-sm">Revoked</span>
+				)}
+			</TableCell>
+		</TableRow>
+	);
+}
diff --git a/frontend/src/app/dialogs/create-api-token-frame.tsx b/frontend/src/app/dialogs/create-api-token-frame.tsx
new file mode 100644
index 0000000000..cc7342a13b
--- /dev/null
+++ b/frontend/src/app/dialogs/create-api-token-frame.tsx
@@ -0,0 +1,127 @@
+import { useState } from "react";
+import { useMutation } from "@tanstack/react-query";
+import { useRouteContext } from "@tanstack/react-router";
+import {
+	Button,
+	type DialogContentProps,
+	DiscreteInput,
+	Flex,
+	Frame,
+	Label,
+} from "@/components";
+import { queryClient } from "@/queries/global";
+import * as CreateApiTokenForm from "@/app/forms/create-api-token-form";
+
+interface CreateApiTokenFrameContentProps extends DialogContentProps {}
+
+/**
+ * Convert duration string (e.g., "1y", "30d", "1h") to ISO 8601 timestamp
+ */
+function convertDurationToExpiresAt(duration: string): string | undefined {
+	if (duration === "never") {
+		return undefined;
+	}
+
+	const now = new Date();
+	const match = duration.match(/^(\d+)([mhdy])$/);
+
+	if (!match) {
+		return undefined;
+	}
+
+	const value = Number.parseInt(match[1], 10);
+	const unit = match[2];
+
+	switch (unit) {
+		case "m":
+			now.setMinutes(now.getMinutes() + value);
+			break;
+		case "h":
+			now.setHours(now.getHours() + value);
+			break;
+		case "d":
+			now.setDate(now.getDate() + value);
+			break;
+		case "y":
+			now.setFullYear(now.getFullYear() + value);
+			break;
+	}
+
+	return now.toISOString();
+}
+
+export default function CreateApiTokenFrameContent({
+	onClose,
+}: CreateApiTokenFrameContentProps) {
+	const { dataProvider } = useRouteContext({
+		from: "/_context/_cloud/orgs/$organization/projects/$project",
+	});
+	const [createdToken, setCreatedToken] = useState<string | null>(null);
+
+	const { mutateAsync, isPending } = useMutation(
+		dataProvider.createApiTokenMutationOptions({
+			onSuccess: async (data) => {
+				setCreatedToken(data.apiToken);
+				await queryClient.invalidateQueries(
+					dataProvider.apiTokensQueryOptions(),
+				);
+			},
+		}),
+	);
+
+	// Show the created token (only shown once!)
+	if (createdToken) {
+		return (
+			<>
+				<Frame.Header>
+					<Frame.Title>Create Cloud API Token</Frame.Title>
+				</Frame.Header>
+				<Frame.Content>
+					<div className="space-y-2">
+						<Label>Your Cloud API Token</Label>
+						<DiscreteInput value={createdToken} />
+						<p className="text-sm text-destructive font-medium">
+							This is the only time you'll see this token. Copy it now
+							and store it securely.
+						</p>
+					</div>
+				</Frame.Content>
+				<Frame.Footer>
+					<Button variant="default" onClick={onClose}>
+						Done
+					</Button>
+				</Frame.Footer>
+			</>
+		);
+	}
+
+	return (
+		<CreateApiTokenForm.Form
+			onSubmit={async (values) => {
+				await mutateAsync({
+					name: values.name,
+					expiresAt: values.expiresIn ? convertDurationToExpiresAt(values.expiresIn) : undefined,
+				});
+			}}
+			defaultValues={{ name: "", expiresIn: "1y" }}
+		>
+			<Frame.Header>
+				<Frame.Title>Create Cloud API Token</Frame.Title>
+			</Frame.Header>
+			<Frame.Content>
+				<Flex gap="4" direction="col">
+					<CreateApiTokenForm.Name />
+					<CreateApiTokenForm.ExpiresIn />
+				</Flex>
+			</Frame.Content>
+			<Frame.Footer>
+				<CreateApiTokenForm.Submit type="submit" isLoading={isPending}>
+					Create
+				</CreateApiTokenForm.Submit>
+				<Button variant="secondary" onClick={onClose}>
+					Cancel
+				</Button>
+			</Frame.Footer>
+		</CreateApiTokenForm.Form>
+	);
+}
diff --git a/frontend/src/app/dialogs/tokens-frame.tsx b/frontend/src/app/dialogs/tokens-frame.tsx
index 60b1908151..4447fe43ab 100644
--- a/frontend/src/app/dialogs/tokens-frame.tsx
+++ b/frontend/src/app/dialogs/tokens-frame.tsx
@@ -1,15 +1,22 @@
 import { faQuestionCircle, Icon } from "@rivet-gg/icons";
-import { useQuery } from "@tanstack/react-query";
+import { useInfiniteQuery, useQuery } from "@tanstack/react-query";
 import { useRouteContext } from "@tanstack/react-router";
+import { useEffect, useState } from "react";
+import { match } from "ts-pattern";
 import { HelpDropdown } from "@/app/help-dropdown";
+import { PublishableTokenCodeGroup } from "@/app/publishable-token-code-group";
 import {
 	Button,
+	CodePreview,
 	type DialogContentProps,
 	DiscreteInput,
 	Frame,
+	getConfig,
 	Label,
 	Skeleton,
 } from "@/components";
+import { RegionSelect } from "@/components/actors/region-select";
+import { cloudEnv } from "@/lib/env";
 
 interface TokensFrameContentProps extends DialogContentProps {}
 
@@ -20,7 +27,7 @@ export default function TokensFrameContent({
 		<>
 			<Frame.Header>
 				<Frame.Title className="gap-2 flex items-center">
-					<div>Namespace Tokens</div>
+					<div>App Tokens</div>
 					<HelpDropdown>
 						<Button variant="ghost" size="icon">
 							<Icon icon={faQuestionCircle} />
@@ -28,12 +35,11 @@ export default function TokensFrameContent({
 					</HelpDropdown>
 				</Frame.Title>
 				<Frame.Description>
-					These tokens are used to authenticate requests to the Rivet
-					API.
+					These tokens are used to authenticate your app with Rivet.
 				</Frame.Description>
 			</Frame.Header>
-			<Frame.Content>
-				<div className="items-center grid grid-cols-1 gap-6">
+			<Frame.Content className="max-h-[70vh] overflow-y-auto">
+				<div className="grid grid-cols-1 gap-8">
 					<SecretToken />
 					<PublishableToken />
 				</div>
@@ -52,21 +58,72 @@ function SecretToken() {
 		from: "/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace",
 		select: (c) => c.dataProvider,
 	});
-	const { data, isLoading } = useQuery(
+	const { data: token, isLoading: isTokenLoading } = useQuery(
 		dataProvider.engineAdminTokenQueryOptions(),
 	);
+	const { data: regions = [] } = useInfiniteQuery(
+		dataProvider.regionsQueryOptions(),
+	);
+	const [selectedDatacenter, setSelectedDatacenter] = useState<string | undefined>(
+		undefined,
+	);
+
+	// Set default datacenter when regions are loaded
+	useEffect(() => {
+		if (regions.length > 0 && !selectedDatacenter) {
+			setSelectedDatacenter(regions[0].id);
+		}
+	}, [regions, selectedDatacenter]);
+
+	const namespace = dataProvider.engineNamespace;
+
+	const endpoint = match(__APP_TYPE__)
+		.with("cloud", () => {
+			const region = regions.find((r) => r.id === selectedDatacenter);
+			return region?.endpoint || cloudEnv().VITE_APP_API_URL;
+		})
+		.with("engine", () => getConfig().apiUrl)
+		.otherwise(() => {
+			throw new Error("Not in a valid context");
+		});
+
+	const envVars = `RIVET_ENDPOINT=${endpoint}
+RIVET_NAMESPACE=${namespace}
+RIVET_TOKEN=${token || ""}`;
+
+	const codeSnippet = `// Configuration will automatically be read from env
+registry.start();`;
+
 	return (
-		<div className="space-y-2">
-			<Label>Secret Token</Label>
-			{isLoading ? (
-				<Skeleton className="w-full h-10" />
-			) : (
-				<DiscreteInput value={data || ""} />
-			)}
-			<p className="text-sm text-muted-foreground">
-				Only use in secure server environments. Grants full access to
-				your namespace. Used to connect your Runners to your namespace.
-			</p>
+		<div className="space-y-4">
+			<div className="space-y-2">
+				<Label>Secret Token</Label>
+				{isTokenLoading ? (
+					<Skeleton className="w-full h-10" />
+				) : (
+					<DiscreteInput value={token || ""} />
+				)}
+				<p className="text-sm text-muted-foreground">
+					Only use in secure server environments. Grants full access to
+					your namespace. Used to connect your Runners to your namespace.
+				</p>
+			</div>
+			<div className="space-y-2">
+				<Label>Datacenter</Label>
+				<RegionSelect
+					showAuto={false}
+					value={selectedDatacenter}
+					onValueChange={setSelectedDatacenter}
+				/>
+			</div>
+			<div className="space-y-2">
+				<Label>Environment Variables</Label>
+				<CodePreview code={envVars} language="bash" />
+			</div>
+			<div className="space-y-2">
+				<Label>Code Snippet</Label>
+				<CodePreview code={codeSnippet} language="typescript" />
+			</div>
 		</div>
 	);
 }
@@ -76,21 +133,40 @@ function PublishableToken() {
 		from: "/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace",
 		select: (c) => c.dataProvider,
 	});
-	const { data, isLoading } = useQuery(
+	const { data: token, isLoading } = useQuery(
 		dataProvider.publishableTokenQueryOptions(),
 	);
+
+	const namespace = dataProvider.engineNamespace;
+
+	const endpoint = match(__APP_TYPE__)
+		.with("cloud", () => cloudEnv().VITE_APP_API_URL)
+		.with("engine", () => getConfig().apiUrl)
+		.otherwise(() => {
+			throw new Error("Not in a valid context");
+		});
+
 	return (
-		<div className="space-y-2">
-			<Label>Publishable Token</Label>
-			{isLoading ? (
-				<Skeleton className="w-full h-10" />
-			) : (
-				<DiscreteInput value={data || ""} />
+		<div className="space-y-4">
+			<div className="space-y-2">
+				<Label>Publishable Token</Label>
+				{isLoading ? (
+					<Skeleton className="w-full h-10" />
+				) : (
+					<DiscreteInput value={token || ""} />
+				)}
+				<p className="text-sm text-muted-foreground">
+					Safe to use in public contexts like client-side code. Allows
+					your frontend to interact with Rivet services.
+				</p>
+			</div>
+			{token && (
+				<PublishableTokenCodeGroup
+					token={token}
+					endpoint={endpoint}
+					namespace={namespace}
+				/>
 			)}
-			<p className="text-sm text-muted-foreground">
-				Safe to use in public contexts like client-side code. Allows
-				your frontend to interact with Rivet services.
-			</p>
 		</div>
 	);
 }
diff --git a/frontend/src/app/forms/create-api-token-form.tsx b/frontend/src/app/forms/create-api-token-form.tsx
new file mode 100644
index 0000000000..e9428004b2
--- /dev/null
+++ b/frontend/src/app/forms/create-api-token-form.tsx
@@ -0,0 +1,98 @@
+import { type UseFormReturn, useFormContext } from "react-hook-form";
+import z from "zod";
+import {
+	createSchemaForm,
+	FormControl,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+	Input,
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components";
+
+export const formSchema = z.object({
+	name: z
+		.string()
+		.min(1, "Name is required")
+		.max(255, "Name must be 255 characters or less"),
+	expiresIn: z.string().optional(),
+});
+
+export type FormValues = z.infer<typeof formSchema>;
+export type SubmitHandler = (
+	values: FormValues,
+	form: UseFormReturn<FormValues>,
+) => Promise<void>;
+
+const { Form, Submit } = createSchemaForm(formSchema);
+export { Form, Submit };
+
+export const Name = ({ className }: { className?: string }) => {
+	const { control } = useFormContext<FormValues>();
+	return (
+		<FormField
+			control={control}
+			name="name"
+			render={({ field }) => (
+				<FormItem className={className}>
+					<FormLabel>Name</FormLabel>
+					<FormControl>
+						<Input
+							placeholder="e.g., CI/CD Pipeline, Production Server"
+							{...field}
+						/>
+					</FormControl>
+					<FormMessage />
+				</FormItem>
+			)}
+		/>
+	);
+};
+
+export const EXPIRATION_OPTIONS = [
+	{ value: "15m", label: "15 minutes" },
+	{ value: "1h", label: "1 hour" },
+	{ value: "6h", label: "6 hours" },
+	{ value: "12h", label: "12 hours" },
+	{ value: "1d", label: "1 day" },
+	{ value: "7d", label: "7 days" },
+	{ value: "30d", label: "30 days" },
+	{ value: "90d", label: "90 days" },
+	{ value: "1y", label: "1 year" },
+	{ value: "never", label: "Never" },
+] as const;
+
+export const ExpiresIn = ({ className }: { className?: string }) => {
+	const { control } = useFormContext<FormValues>();
+	return (
+		<FormField
+			control={control}
+			name="expiresIn"
+			render={({ field }) => (
+				<FormItem className={className}>
+					<FormLabel>Expiration</FormLabel>
+					<Select onValueChange={field.onChange} value={field.value}>
+						<FormControl>
+							<SelectTrigger>
+								<SelectValue placeholder="Select expiration duration" />
+							</SelectTrigger>
+						</FormControl>
+						<SelectContent>
+							{EXPIRATION_OPTIONS.map((option) => (
+								<SelectItem key={option.value} value={option.value}>
+									{option.label}
+								</SelectItem>
+							))}
+						</SelectContent>
+					</Select>
+					<FormMessage />
+				</FormItem>
+			)}
+		/>
+	);
+};
diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
index 41e1d38340..6c586171f3 100644
--- a/frontend/src/app/layout.tsx
+++ b/frontend/src/app/layout.tsx
@@ -2,6 +2,8 @@ import { useClerk } from "@clerk/clerk-react";
 import {
 	faArrowUpRight,
 	faBolt,
+	faHome,
+	faKey,
 	faLink,
 	faServer,
 	faSpinnerThird,
@@ -408,15 +410,15 @@ const Subnav = () => {
 					to="/ns/$namespace/connect"
 					className="font-normal"
 					params={nsMatch}
-					icon={faBolt}
+					icon={faHome}
 				>
-					Connect
+					Overview
 				</HeaderLink>
 			) : null}
 			{hasDataProvider && hasQuery ? (
 				<div className="w-full">
 					<span className="block text-muted-foreground text-xs px-2 py-1 transition-colors mb-0.5">
-						Instances
+						Actors
 					</span>
 					<ActorBuildsList />
 				</div>
@@ -430,7 +432,7 @@ function HeaderLink({ icon, children, className, ...props }: HeaderLinkProps) {
 		<HeaderButton
 			asChild
 			variant="ghost"
-			className="font-medium px-1 text-foreground data-active:bg-accent"
+			className="font-medium px-1 text-muted-foreground data-active:text-foreground data-active:bg-accent"
 			{...props}
 			startIcon={
 				icon ? (
@@ -560,19 +562,27 @@ function CloudSidebarContentInner(props: {
 	const hasDataProvider = useDataProviderCheck();
 	const hasQuery = !!useDataProvider().buildsQueryOptions;
 	return (
-		<div className="flex gap-1.5 flex-col">
+		<div className="flex gap-0.5 flex-col">
 			<HeaderLink
 				to="/orgs/$organization/projects/$project/ns/$namespace/connect"
 				className="font-normal"
 				{...props}
-				icon={faBolt}
+				icon={faHome}
+			>
+				Overview
+			</HeaderLink>
+			<HeaderLink
+				to="/orgs/$organization/projects/$project/ns/$namespace/tokens"
+				className="font-normal"
+				{...props}
+				icon={faKey}
 			>
-				Connect
+				Tokens
 			</HeaderLink>
 			{hasDataProvider && hasQuery ? (
 				<div className="w-full pt-1.5">
 					<span className="block text-muted-foreground text-xs px-2 py-1 transition-colors mb-0.5">
-						Instances
+						Actors
 					</span>
 					<ActorBuildsList />
 				</div>
diff --git a/frontend/src/app/publishable-token-code-group.tsx b/frontend/src/app/publishable-token-code-group.tsx
new file mode 100644
index 0000000000..fd6bc9fe1a
--- /dev/null
+++ b/frontend/src/app/publishable-token-code-group.tsx
@@ -0,0 +1,165 @@
+import { faChevronRight, faNextjs, faNodeJs, faReact, Icon } from "@rivet-gg/icons";
+import { useInfiniteQuery } from "@tanstack/react-query";
+import { hasProvider } from "@/app/data-providers/engine-data-provider";
+import { CodeFrame, CodeGroup, CodePreview, DocsSheet } from "@/components";
+import { useEngineCompatDataProvider } from "@/components/actors";
+
+interface PublishableTokenCodeGroupProps {
+	token: string;
+	endpoint: string;
+	namespace: string;
+}
+
+export function PublishableTokenCodeGroup({
+	token,
+	endpoint,
+	namespace,
+}: PublishableTokenCodeGroupProps) {
+	const dataProvider = useEngineCompatDataProvider();
+	const { data: configs } = useInfiniteQuery({
+		...dataProvider.runnerConfigsQueryOptions(),
+		refetchInterval: 5000,
+	});
+
+	// Check if Vercel is connected
+	const hasVercel = hasProvider(configs, ["vercel", "next-js"]);
+
+	const nextJsTab = (
+		<CodeFrame
+			language="typescript"
+			title="Next.js"
+			icon={faNextjs}
+			footer={
+				<DocsSheet
+					path={"/docs/actors/quickstart/next-js"}
+					title={"Next.js Quickstart"}
+				>
+					<span className="cursor-pointer hover:underline">
+						See Next.js Documentation{" "}
+						<Icon icon={faChevronRight} className="text-xs" />
+					</span>
+				</DocsSheet>
+			}
+		>
+			<CodePreview
+				code={nextJsCode({ token, endpoint, namespace })}
+				language="typescript"
+			/>
+		</CodeFrame>
+	);
+
+	const reactTab = (
+		<CodeFrame
+			language="typescript"
+			title="React"
+			icon={faReact}
+			footer={
+				<DocsSheet
+					path={"/docs/actors/quickstart/react"}
+					title={"React Quickstart"}
+				>
+					<span className="cursor-pointer hover:underline">
+						See React Documentation{" "}
+						<Icon icon={faChevronRight} className="text-xs" />
+					</span>
+				</DocsSheet>
+			}
+		>
+			<CodePreview
+				code={reactCode({ token, endpoint, namespace })}
+				language="typescript"
+			/>
+		</CodeFrame>
+	);
+
+	const javascriptTab = (
+		<CodeFrame
+			language="typescript"
+			title="JavaScript"
+			icon={faNodeJs}
+			footer={
+				<DocsSheet
+					path={"/docs/actors/quickstart/backend"}
+					title={"JavaScript Quickstart"}
+				>
+					<span className="cursor-pointer hover:underline">
+						See JavaScript Documentation{" "}
+						<Icon icon={faChevronRight} className="text-xs" />
+					</span>
+				</DocsSheet>
+			}
+		>
+			<CodePreview
+				code={javascriptCode({
+					token,
+					endpoint,
+					namespace,
+				})}
+				language="typescript"
+			/>
+		</CodeFrame>
+	);
+
+	return (
+		<CodeGroup>
+			{hasVercel
+				? [nextJsTab, reactTab, javascriptTab]
+				: [javascriptTab, reactTab, nextJsTab]}
+		</CodeGroup>
+	);
+}
+
+const javascriptCode = ({
+	token,
+	endpoint,
+	namespace,
+}: {
+	token: string;
+	endpoint: string;
+	namespace: string;
+}) => `import { createClient } from "rivetkit/client";
+import type { registry } from "./registry";
+
+const client = createClient<typeof registry>({
+	endpoint: "${endpoint}",
+	namespace: "${namespace}",
+	// This token is safe to publish on your frontend
+	token: "${token}",
+});`;
+
+const reactCode = ({
+	token,
+	endpoint,
+	namespace,
+}: {
+	token: string;
+	endpoint: string;
+	namespace: string;
+}) => `import { createRivetKit } from "@rivetkit/react";
+import type { registry } from "./registry";
+
+export const { useActor } = createRivetKit<typeof registry>({
+	endpoint: "${endpoint}",
+	namespace: "${namespace}",
+	// This token is safe to publish on your frontend
+	token: "${token}",
+});`;
+
+const nextJsCode = ({
+	token,
+	endpoint,
+	namespace,
+}: {
+	token: string;
+	endpoint: string;
+	namespace: string;
+}) => `"use client";
+import { createRivetKit } from "@rivetkit/next-js/client";
+import type { registry } from "@/rivet/registry";
+
+export const { useActor } = createRivetKit<typeof registry>({
+	endpoint: "${endpoint}",
+	namespace: "${namespace}",
+	// This token is safe to publish on your frontend
+	token: "${token}",
+});`;
diff --git a/frontend/src/app/use-dialog.tsx b/frontend/src/app/use-dialog.tsx
index 9918da25bc..14f84484b7 100644
--- a/frontend/src/app/use-dialog.tsx
+++ b/frontend/src/app/use-dialog.tsx
@@ -43,4 +43,8 @@ export const useDialog = {
 		() => import("@/app/dialogs/provide-engine-credentials-frame"),
 	),
 	Tokens: createDialogHook(() => import("@/app/dialogs/tokens-frame")),
+	ApiTokens: createDialogHook(() => import("@/app/dialogs/api-tokens-frame")),
+	CreateApiToken: createDialogHook(
+		() => import("@/app/dialogs/create-api-token-frame"),
+	),
 };
diff --git a/frontend/src/app/user-dropdown.tsx b/frontend/src/app/user-dropdown.tsx
index 20aec6e7a3..59e31fe99e 100644
--- a/frontend/src/app/user-dropdown.tsx
+++ b/frontend/src/app/user-dropdown.tsx
@@ -65,30 +65,6 @@ export function UserDropdown() {
 				>
 					Profile
 				</DropdownMenuItem>
-				{isMatchingNamespaceRoute ? (
-					<DropdownMenuItem
-						onSelect={() => {
-							navigate({
-								to: ".",
-								search: { ...params, modal: "tokens" },
-							});
-						}}
-					>
-						Tokens
-					</DropdownMenuItem>
-				) : null}
-				{isMatchingProjectRoute ? (
-					<DropdownMenuItem
-						onSelect={() => {
-							navigate({
-								to: ".",
-								search: (old) => ({ ...old, modal: "api-keys" }),
-							});
-						}}
-					>
-						API Keys
-					</DropdownMenuItem>
-				) : null}
 				{clerk.organization ? (
 					<DropdownMenuItem
 						onSelect={() => {
diff --git a/frontend/src/components/actors/data-provider.tsx b/frontend/src/components/actors/data-provider.tsx
index f1287b6577..7659d5c107 100644
--- a/frontend/src/components/actors/data-provider.tsx
+++ b/frontend/src/components/actors/data-provider.tsx
@@ -7,8 +7,8 @@ import {
 } from "@tanstack/react-router";
 import { match } from "ts-pattern";
 
-export const useDataProvider = () =>
-	match(__APP_TYPE__)
+export const useDataProvider = () => {
+	return match(__APP_TYPE__)
 		.with("cloud", () => {
 			// biome-ignore lint/correctness/useHookAtTopLevel: runs only once
 			return useRouteContext({
@@ -36,6 +36,7 @@ export const useDataProvider = () =>
 				});
 		})
 		.exhaustive();
+};
 
 export const useDataProviderCheck = () => {
 	const matchRoute = useMatchRoute();
@@ -104,16 +105,19 @@ export const useCloudNamespaceDataProvider = () => {
 };
 
 export const useEngineCompatDataProvider = () => {
+	const routePath = match(__APP_TYPE__)
+		.with("cloud", () => {
+			return "/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace" as const;
+		})
+		.with("engine", () => {
+			return "/_context/_engine/ns/$namespace" as const;
+		})
+		.otherwise(() => {
+			throw new Error("Not in an engine-like context");
+		});
+
 	return useRouteContext({
-		from: match(__APP_TYPE__)
-			.with("cloud", () => {
-				return "/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace" as const;
-			})
-			.with("engine", () => {
-				return "/_context/_engine/ns/$namespace" as const;
-			})
-			.otherwise(() => {
-				throw new Error("Not in an engine-like context");
-			}),
+		from: routePath,
+		strict: false,
 	}).dataProvider;
 };
diff --git a/frontend/src/queries/utils.ts b/frontend/src/queries/utils.ts
index 7479ac003d..2875d428ab 100644
--- a/frontend/src/queries/utils.ts
+++ b/frontend/src/queries/utils.ts
@@ -2,7 +2,7 @@ import type { Query } from "@tanstack/react-query";
 
 export const shouldRetryAllExpect403 = (failureCount: number, error: Error) => {
 	if (error && "statusCode" in error) {
-		if (error.statusCode === 403) {
+		if (error.statusCode === 403 || error.statusCode === 401) {
 			// Don't retry on auth errors, when app is not engine
 			return __APP_TYPE__ !== "engine";
 		}
diff --git a/frontend/src/routeTree.gen.ts b/frontend/src/routeTree.gen.ts
index 70ac67d4b7..619fe8d6fb 100644
--- a/frontend/src/routeTree.gen.ts
+++ b/frontend/src/routeTree.gen.ts
@@ -29,6 +29,7 @@ import { Route as ContextCloudOrgsOrganizationProjectsProjectRouteImport } from
 import { Route as ContextCloudOrgsOrganizationProjectsProjectIndexRouteImport } from './routes/_context/_cloud/orgs.$organization/projects.$project/index'
 import { Route as ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRouteImport } from './routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace'
 import { Route as ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRouteImport } from './routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/index'
+import { Route as ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRouteImport } from './routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/tokens'
 import { Route as ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRouteImport } from './routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/connect'
 
 const SsoCallbackRoute = SsoCallbackRouteImport.update({
@@ -143,6 +144,15 @@ const ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute =
         ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRoute,
     } as any,
   )
+const ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute =
+  ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRouteImport.update(
+    {
+      id: '/tokens',
+      path: '/tokens',
+      getParentRoute: () =>
+        ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRoute,
+    } as any,
+  )
 const ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute =
   ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRouteImport.update(
     {
@@ -171,6 +181,7 @@ export interface FileRoutesByFullPath {
   '/orgs/$organization/projects/$project/': typeof ContextCloudOrgsOrganizationProjectsProjectIndexRoute
   '/orgs/$organization/projects/$project/ns/$namespace': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRouteWithChildren
   '/orgs/$organization/projects/$project/ns/$namespace/connect': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute
+  '/orgs/$organization/projects/$project/ns/$namespace/tokens': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute
   '/orgs/$organization/projects/$project/ns/$namespace/': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute
 }
 export interface FileRoutesByTo {
@@ -187,6 +198,7 @@ export interface FileRoutesByTo {
   '/orgs/$organization/projects': typeof ContextCloudOrgsOrganizationProjectsIndexRoute
   '/orgs/$organization/projects/$project': typeof ContextCloudOrgsOrganizationProjectsProjectIndexRoute
   '/orgs/$organization/projects/$project/ns/$namespace/connect': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute
+  '/orgs/$organization/projects/$project/ns/$namespace/tokens': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute
   '/orgs/$organization/projects/$project/ns/$namespace': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute
 }
 export interface FileRoutesById {
@@ -211,6 +223,7 @@ export interface FileRoutesById {
   '/_context/_cloud/orgs/$organization/projects/$project/': typeof ContextCloudOrgsOrganizationProjectsProjectIndexRoute
   '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRouteWithChildren
   '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/connect': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute
+  '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/tokens': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute
   '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/': typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute
 }
 export interface FileRouteTypes {
@@ -233,6 +246,7 @@ export interface FileRouteTypes {
     | '/orgs/$organization/projects/$project/'
     | '/orgs/$organization/projects/$project/ns/$namespace'
     | '/orgs/$organization/projects/$project/ns/$namespace/connect'
+    | '/orgs/$organization/projects/$project/ns/$namespace/tokens'
     | '/orgs/$organization/projects/$project/ns/$namespace/'
   fileRoutesByTo: FileRoutesByTo
   to:
@@ -249,6 +263,7 @@ export interface FileRouteTypes {
     | '/orgs/$organization/projects'
     | '/orgs/$organization/projects/$project'
     | '/orgs/$organization/projects/$project/ns/$namespace/connect'
+    | '/orgs/$organization/projects/$project/ns/$namespace/tokens'
     | '/orgs/$organization/projects/$project/ns/$namespace'
   id:
     | '__root__'
@@ -272,6 +287,7 @@ export interface FileRouteTypes {
     | '/_context/_cloud/orgs/$organization/projects/$project/'
     | '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace'
     | '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/connect'
+    | '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/tokens'
     | '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/'
   fileRoutesById: FileRoutesById
 }
@@ -425,6 +441,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRouteImport
       parentRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRoute
     }
+    '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/tokens': {
+      id: '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/tokens'
+      path: '/tokens'
+      fullPath: '/orgs/$organization/projects/$project/ns/$namespace/tokens'
+      preLoaderRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRouteImport
+      parentRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRoute
+    }
     '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/connect': {
       id: '/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/connect'
       path: '/connect'
@@ -437,6 +460,7 @@ declare module '@tanstack/react-router' {
 
 interface ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRouteChildren {
   ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute
+  ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute
   ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute: typeof ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute
 }
 
@@ -444,6 +468,8 @@ const ContextCloudOrgsOrganizationProjectsProjectNsNamespaceRouteChildren: Conte
   {
     ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute:
       ContextCloudOrgsOrganizationProjectsProjectNsNamespaceConnectRoute,
+    ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute:
+      ContextCloudOrgsOrganizationProjectsProjectNsNamespaceTokensRoute,
     ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute:
       ContextCloudOrgsOrganizationProjectsProjectNsNamespaceIndexRoute,
   }
diff --git a/frontend/src/routes/_context/_cloud.tsx b/frontend/src/routes/_context/_cloud.tsx
index b8b5953f0b..d9779d4d27 100644
--- a/frontend/src/routes/_context/_cloud.tsx
+++ b/frontend/src/routes/_context/_cloud.tsx
@@ -47,7 +47,6 @@ function CloudModals() {
 	const ConnectHetznerDialog = useDialog.ConnectHetzner.Dialog;
 	const EditProviderConfigDialog = useDialog.EditProviderConfig.Dialog;
 	const DeleteConfigDialog = useDialog.DeleteConfig.Dialog;
-	const TokensDialog = useDialog.Tokens.Dialog;
 
 	return (
 		<>
@@ -245,23 +244,6 @@ function CloudModals() {
 					},
 				}}
 			/>
-			<TokensDialog
-				dialogProps={{
-					open: search.modal === "tokens",
-					// FIXME
-					onOpenChange: (value: any) => {
-						if (!value) {
-							navigate({
-								to: ".",
-								search: (old) => ({
-									...old,
-									modal: undefined,
-								}),
-							});
-						}
-					},
-				}}
-			/>
 			<EditProviderConfigDialog
 				dialogContentProps={{
 					className: "max-w-xl",
diff --git a/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/connect.tsx b/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/connect.tsx
index 2db1e8fd0d..614024b0d2 100644
--- a/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/connect.tsx
+++ b/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/connect.tsx
@@ -1,6 +1,5 @@
 import {
 	faAws,
-	faChevronRight,
 	faGoogleCloud,
 	faHetznerH,
 	faNextjs,
@@ -23,17 +22,15 @@ import {
 	Link,
 	notFound,
 	Link as RouterLink,
+	useParams,
 } from "@tanstack/react-router";
 import { match } from "ts-pattern";
-import { hasProvider } from "@/app/data-providers/engine-data-provider";
 import { HelpDropdown } from "@/app/help-dropdown";
+import { PublishableTokenCodeGroup } from "@/app/publishable-token-code-group";
 import { RunnerConfigsTable } from "@/app/runner-config-table";
 import { RunnersTable } from "@/app/runners-table";
 import {
 	Button,
-	CodeFrame,
-	CodeGroup,
-	CodePreview,
 	DocsSheet,
 	DropdownMenu,
 	DropdownMenuContent,
@@ -50,7 +47,7 @@ import {
 	useEngineCompatDataProvider,
 	useEngineNamespaceDataProvider,
 } from "@/components/actors";
-import { cloudEnv, engineEnv } from "@/lib/env";
+import { cloudEnv } from "@/lib/env";
 
 export const Route = createFileRoute(
 	"/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/connect",
@@ -64,6 +61,7 @@ export const Route = createFileRoute(
 });
 
 export function RouteComponent() {
+	const params = useParams({ strict: false });
 	const { data: runnerNamesCount, isLoading } = useSuspenseInfiniteQuery({
 		...useEngineCompatDataProvider().runnerNamesQueryOptions(),
 		select: (data) => data.pages[0].names.length,
@@ -78,20 +76,15 @@ export function RouteComponent() {
 			<div className="bg-card h-full border my-2 mr-2 rounded-lg overflow-auto">
 				<div className=" max-w-5xl mx-auto">
 					<div className="mt-2 flex justify-between items-center px-6 py-4 ">
-						<H1>Connect</H1>
-						<div className="flex gap-4">
-							<Link to="." search={{ modal: "tokens" }}>
-								<Button variant="outline">Tokens</Button>
-							</Link>
-							<HelpDropdown>
+						<H1>Overview</H1>
+						<HelpDropdown>
 								<Button
 									variant="outline"
 									startIcon={<Icon icon={faQuestionCircle} />}
 								>
 									Need help?
 								</Button>
-							</HelpDropdown>
-						</div>
+						</HelpDropdown>
 					</div>
 					<p className="max-w-5xl mb-6 px-6 text-muted-foreground">
 						Connect your RivetKit application to Rivet Cloud. Use
@@ -197,22 +190,17 @@ export function RouteComponent() {
 					<div className="max-w-3xl w-full border rounded-lg bg-card">
 						<div className="mt-2 flex justify-between items-center px-6 py-4">
 							<H2>Connect Existing Project</H2>
-							<div className="flex gap-4">
-								<Link to="." search={{ modal: "tokens" }}>
-									<Button variant="outline">Tokens</Button>
-								</Link>
-								<HelpDropdown>
+							<HelpDropdown>
 									<Button
 										variant="outline"
 										startIcon={
 											<Icon icon={faQuestionCircle} />
 										}
 									>
-										Need help?
+									Need help?
 									</Button>
 								</HelpDropdown>
 							</div>
-						</div>
 						<p className="max-w-5xl mb-6 px-6 text-muted-foreground">
 							Connect your RivetKit application to Rivet Cloud.
 							Use your cloud of choice to run Rivet Actors.
@@ -320,11 +308,7 @@ export function RouteComponent() {
 			<div className=" ">
 				<div className="mb-4 pt-2 max-w-5xl mx-auto">
 					<div className="flex justify-between items-center px-10 py-4 ">
-						<H1>Connect</H1>
-						<div className="flex gap-4">
-							<Link to="." search={{ modal: "tokens" }}>
-								<Button variant="outline">Tokens</Button>
-							</Link>
+						<H1>Overview</H1>
 							<HelpDropdown>
 								<Button
 									variant="outline"
@@ -334,7 +318,6 @@ export function RouteComponent() {
 								</Button>
 							</HelpDropdown>
 						</div>
-					</div>
 					<p className="max-w-5xl mb-6 px-10 text-muted-foreground">
 						Connect your RivetKit application to Rivet Cloud. Use
 						your cloud of choice to run Rivet Actors.
@@ -367,7 +350,7 @@ function Providers() {
 
 	return (
 		<div className="p-4 pb-8 px-6 max-w-5xl mx-auto my-8 border-b @6xl:border @6xl:rounded-lg bg-muted/10">
-			<div className="flex gap-2 items-center mb-2">
+			<div className="flex gap-2 items-center justify-between mb-2">
 				<H3>Providers</H3>
 
 				<ProviderDropdown>
@@ -436,21 +419,23 @@ function Runners() {
 }
 
 function usePublishableToken() {
-	const cloudProvider = useCloudNamespaceDataProvider();
-	const engineProvider = useEngineNamespaceDataProvider();
-	const cloudData = useSuspenseQuery(
-		cloudProvider.publishableTokenQueryOptions(),
-	);
-	const engineData = useSuspenseQuery(
-		engineProvider.engineAdminTokenQueryOptions(),
-	);
+	if (__APP_TYPE__ === "cloud") {
+		const cloudProvider = useCloudNamespaceDataProvider();
+		const cloudData = useSuspenseQuery(
+			cloudProvider.publishableTokenQueryOptions(),
+		);
+		return cloudData.data;
+	}
 
-	return match(__APP_TYPE__)
-		.with("cloud", () => cloudData.data)
-		.with("engine", () => engineData.data)
-		.otherwise(() => {
-			throw new Error("Not in a valid context");
-		});
+	if (__APP_TYPE__ === "engine") {
+		const engineProvider = useEngineNamespaceDataProvider();
+		const engineData = useSuspenseQuery(
+			engineProvider.engineAdminTokenQueryOptions(),
+		);
+		return engineData.data;
+	}
+
+	throw new Error("Not in a valid context");
 }
 
 const useEndpoint = () => {
@@ -472,90 +457,6 @@ function ConnectYourFrontend() {
 	const dataProvider = useEngineCompatDataProvider();
 	const namespace = dataProvider.engineNamespace;
 
-	const { data: configs } = useInfiniteQuery({
-		...dataProvider.runnerConfigsQueryOptions(),
-		refetchInterval: 5000,
-	});
-
-	// Check if Vercel is connected
-	const hasVercel = hasProvider(configs, ["vercel", "next-js"]);
-
-	const nextJsTab = (
-		<CodeFrame
-			language="typescript"
-			title="Next.js"
-			icon={faNextjs}
-			footer={
-				<DocsSheet
-					path={"/docs/actors/quickstart/next-js"}
-					title={"Next.js Quickstart"}
-				>
-					<span className="cursor-pointer hover:underline">
-						See Next.js Documentation{" "}
-						<Icon icon={faChevronRight} className="text-xs" />
-					</span>
-				</DocsSheet>
-			}
-		>
-			<CodePreview
-				code={nextJsCode({ token, endpoint, namespace })}
-				language="typescript"
-			/>
-		</CodeFrame>
-	);
-
-	const reactTab = (
-		<CodeFrame
-			language="typescript"
-			title="React"
-			icon={faReact}
-			footer={
-				<DocsSheet
-					path={"/docs/actors/quickstart/react"}
-					title={"React Quickstart"}
-				>
-					<span className="cursor-pointer hover:underline">
-						See React Documentation{" "}
-						<Icon icon={faChevronRight} className="text-xs" />
-					</span>
-				</DocsSheet>
-			}
-		>
-			<CodePreview
-				code={reactCode({ token, endpoint, namespace })}
-				language="typescript"
-			/>
-		</CodeFrame>
-	);
-
-	const javascriptTab = (
-		<CodeFrame
-			language="typescript"
-			title="JavaScript"
-			icon={faNodeJs}
-			footer={
-				<DocsSheet
-					path={"/docs/actors/quickstart/backend"}
-					title={"JavaScript Quickstart"}
-				>
-					<span className="cursor-pointer hover:underline">
-						See JavaScript Documentation{" "}
-						<Icon icon={faChevronRight} className="text-xs" />
-					</span>
-				</DocsSheet>
-			}
-		>
-			<CodePreview
-				code={javascriptCode({
-					token,
-					endpoint,
-					namespace,
-				})}
-				language="typescript"
-			/>
-		</CodeFrame>
-	);
-
 	return (
 		<div className="pb-4 px-6 max-w-5xl mx-auto my-8 border-b @6xl:border @6xl:rounded-lg bg-muted/10">
 			<div className="flex gap-2 items-center mb-2 mt-6">
@@ -565,69 +466,16 @@ function ConnectYourFrontend() {
 				This token is safe to publish on your frontend.
 			</p>
 			<div>
-				<CodeGroup>
-					{hasVercel
-						? [nextJsTab, reactTab, javascriptTab]
-						: [javascriptTab, reactTab, nextJsTab]}
-				</CodeGroup>
+				<PublishableTokenCodeGroup
+					token={token}
+					endpoint={endpoint}
+					namespace={namespace}
+				/>
 			</div>
 		</div>
 	);
 }
 
-const javascriptCode = ({
-	token,
-	endpoint,
-	namespace,
-}: {
-	token: string;
-	endpoint: string;
-	namespace: string;
-}) => `import { createClient } from "rivetkit/client";
-import type { registry } from "./registry";
-
-const client = createClient<typeof registry>({
-	endpoint: "${endpoint}",
-	namespace: "${namespace}",
-	token: "${token}",
-});`;
-
-const reactCode = ({
-	token,
-	endpoint,
-	namespace,
-}: {
-	token: string;
-	endpoint: string;
-	namespace: string;
-}) => `import { createRivetKit } from "@rivetkit/react";
-import type { registry } from "./registry";
-
-export const { useActor } = createRivetKit<typeof registry>({
-	endpoint: "${endpoint}",
-	namespace: "${namespace}",
-	token: "${token}",
-});`;
-
-const nextJsCode = ({
-	token,
-	endpoint,
-	namespace,
-}: {
-	token: string;
-	endpoint: string;
-	namespace: string;
-}) => `"use client";
-import { createRivetKit } from "@rivetkit/next-js/client";
-import type { registry } from "@/rivet/registry";
-
-export const { useActor } = createRivetKit<typeof registry>({
-	endpoint: "${engineEnv().VITE_APP_API_URL}",
-	namespace: "${namespace}",
-	token: "${token}",
-});
-`;
-
 function ProviderDropdown({ children }: { children: React.ReactNode }) {
 	const navigate = Route.useNavigate();
 	return (
diff --git a/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx b/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx
new file mode 100644
index 0000000000..2c199404c2
--- /dev/null
+++ b/frontend/src/routes/_context/_cloud/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx
@@ -0,0 +1,546 @@
+import { faChevronRight, faCopy, faNodeJs, faPlus, faQuestionCircle, faTrash, Icon } from "@rivet-gg/icons";
+import { useInfiniteQuery, useMutation, useQuery } from "@tanstack/react-query";
+import { createFileRoute, useParams, useRouteContext } from "@tanstack/react-router";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+import { match } from "ts-pattern";
+import { HelpDropdown } from "@/app/help-dropdown";
+import { PublishableTokenCodeGroup } from "@/app/publishable-token-code-group";
+import { useDialog } from "@/app/use-dialog";
+import {
+	Badge,
+	Button,
+	CodeFrame,
+	CodeGroup,
+	CodePreview,
+	DiscreteInput,
+	DocsSheet,
+	getConfig,
+	H1,
+	H3,
+	Label,
+	Skeleton,
+	Table,
+	TableBody,
+	TableCell,
+	TableHead,
+	TableHeader,
+	TableRow,
+} from "@/components";
+import { useEngineCompatDataProvider } from "@/components/actors";
+import { RegionSelect } from "@/components/actors/region-select";
+import { cloudEnv } from "@/lib/env";
+import { queryClient } from "@/queries/global";
+
+export const Route = createFileRoute(
+	"/_context/_cloud/orgs/$organization/projects/$project/ns/$namespace/tokens",
+)({
+	component: RouteComponent,
+});
+
+function RouteComponent() {
+	return (
+		<div className="bg-card h-full border my-2 mr-2 rounded-lg overflow-auto @container">
+			<div className="max-w-5xl mx-auto">
+				<div className="mt-2 flex justify-between items-center px-10 py-4">
+					<H1>Tokens</H1>
+					<HelpDropdown>
+						<Button
+							variant="outline"
+							startIcon={<Icon icon={faQuestionCircle} />}
+						>
+							Need help?
+						</Button>
+					</HelpDropdown>
+				</div>
+				<p className="text-muted-foreground mb-6 px-10">
+					These tokens are used to authenticate your app with Rivet.
+				</p>
+			</div>
+			<hr className="mb-6" />
+			<div className="px-4">
+				<PublishableToken />
+				<SecretToken />
+				<CloudApiTokens />
+			</div>
+		</div>
+	);
+}
+
+function PublishableToken() {
+	const dataProvider = useEngineCompatDataProvider();
+	const { data: token, isLoading } = useQuery(
+		dataProvider.publishableTokenQueryOptions(),
+	);
+
+	const namespace = dataProvider.engineNamespace;
+
+	const endpoint = match(__APP_TYPE__)
+		.with("cloud", () => cloudEnv().VITE_APP_API_URL)
+		.with("engine", () => getConfig().apiUrl)
+		.otherwise(() => {
+			throw new Error("Not in a valid context");
+		});
+
+	return (
+		<div className="pb-4 px-6 max-w-5xl mx-auto my-8 @6xl:border @6xl:rounded-lg bg-muted/10">
+			<div className="flex gap-2 items-center mb-2 mt-6">
+				<H3>Client Token</H3>
+			</div>
+			<p className="mb-6 text-muted-foreground">
+				Connect to your actors using the Rivet client token. This can be used either on your frontend or backend.
+			</p>
+			<div className="space-y-8">
+				{isLoading ? (
+					<Skeleton className="w-full h-10" />
+				) : (
+					<DiscreteInput value={token || ""} show />
+				)}
+				{token && (
+					<PublishableTokenCodeGroup
+						token={token}
+						endpoint={endpoint}
+						namespace={namespace}
+					/>
+				)}
+			</div>
+		</div>
+	);
+}
+
+function SecretToken() {
+	const dataProvider = useEngineCompatDataProvider();
+	const { data: token, isLoading: isTokenLoading } = useQuery(
+		dataProvider.engineAdminTokenQueryOptions(),
+	);
+	const { data: regions = [] } = useInfiniteQuery(
+		dataProvider.regionsQueryOptions(),
+	);
+	const [selectedDatacenter, setSelectedDatacenter] = useState<
+		string | undefined
+	>(undefined);
+
+	// Set default datacenter when regions are loaded
+	useEffect(() => {
+		if (regions.length > 0 && !selectedDatacenter) {
+			setSelectedDatacenter(regions[0].id);
+		}
+	}, [regions, selectedDatacenter]);
+
+	const namespace = dataProvider.engineNamespace;
+
+	const endpoint = match(__APP_TYPE__)
+		.with("cloud", () => {
+			const region = regions.find((r) => r.id === selectedDatacenter);
+			return region?.endpoint || cloudEnv().VITE_APP_API_URL;
+		})
+		.with("engine", () => getConfig().apiUrl)
+		.otherwise(() => {
+			throw new Error("Not in a valid context");
+		});
+
+	const codeSnippet = `import { registry } from "./registry";
+
+// Automatically reads token from env
+registry.start();`;
+
+	return (
+		<div className="pb-4 px-6 max-w-5xl mx-auto my-8 border-b @6xl:border @6xl:rounded-lg bg-muted/10">
+			<div className="flex gap-2 items-center mb-2 mt-6">
+				<H3>Runner Token</H3>
+			</div>
+			<p className="mb-6 text-muted-foreground">
+				Used by runners (servers that run your actors) to authenticate
+				with Rivet. Serverless providers do not need to use this token.
+			</p>
+			<div className="space-y-8">
+				<div className="space-y-2">
+					<Label>Datacenter</Label>
+					<RegionSelect
+						showAuto={false}
+						value={selectedDatacenter}
+						onValueChange={setSelectedDatacenter}
+					/>
+				</div>
+				<div className="space-y-2">
+					<Label>Environment Variables</Label>
+					<div className="gap-1 items-center grid grid-cols-2">
+						<Label asChild className="text-muted-foreground text-xs mb-1">
+							<p>Key</p>
+						</Label>
+						<Label asChild className="text-muted-foreground text-xs mb-1">
+							<p>Value</p>
+						</Label>
+						<DiscreteInput
+							aria-label="environment variable key"
+							value="RIVET_ENDPOINT"
+							show
+						/>
+						<DiscreteInput
+							aria-label="environment variable value"
+							value={endpoint}
+							show
+						/>
+						<DiscreteInput
+							aria-label="environment variable key"
+							value="RIVET_NAMESPACE"
+							show
+						/>
+						<DiscreteInput
+							aria-label="environment variable value"
+							value={namespace}
+							show
+						/>
+						<DiscreteInput
+							aria-label="environment variable key"
+							value="RIVET_TOKEN"
+							show
+						/>
+						{isTokenLoading ? (
+							<Skeleton className="w-full h-10" />
+						) : (
+							<DiscreteInput
+								aria-label="environment variable value"
+								value={token || ""}
+							/>
+						)}
+					</div>
+					<div className="flex justify-end">
+						<Button
+							variant="outline"
+							size="sm"
+							onClick={() => {
+								const envVars = `RIVET_ENDPOINT=${endpoint}
+RIVET_NAMESPACE=${namespace}
+RIVET_TOKEN=${token || ""}`;
+								navigator.clipboard.writeText(envVars);
+								toast.success("Copied to clipboard");
+							}}
+						>
+							Copy all raw
+						</Button>
+					</div>
+				</div>
+				<CodeGroup>
+					{[
+						<CodeFrame
+							key="javascript"
+							language="typescript"
+							title="JavaScript"
+							icon={faNodeJs}
+							code={() => codeSnippet}
+							footer={
+								<DocsSheet
+									path={"/docs/actors/quickstart/backend"}
+									title={"JavaScript Quickstart"}
+								>
+									<span className="cursor-pointer hover:underline">
+										See JavaScript Documentation{" "}
+										<Icon icon={faChevronRight} className="text-xs" />
+									</span>
+								</DocsSheet>
+							}
+						>
+							<CodePreview
+								className="w-full min-w-0"
+								language="typescript"
+								code={codeSnippet}
+							/>
+						</CodeFrame>
+					]}
+				</CodeGroup>
+			</div>
+		</div>
+	);
+}
+
+function CloudApiTokens() {
+	const { dataProvider } = useRouteContext({
+		from: "/_context/_cloud/orgs/$organization/projects/$project",
+	});
+	const params = useParams({ strict: false });
+	const organization = params.organization;
+	const project = params.project;
+	const namespace = params.namespace;
+
+	const { data, isLoading } = useQuery(dataProvider.apiTokensQueryOptions());
+
+	const { open: openCreateApiToken, dialog: createApiTokenDialog } =
+		useDialog.CreateApiToken({});
+
+	const cloudApiUrl = cloudEnv().VITE_APP_CLOUD_API_URL;
+
+	return (
+		<div className="pb-4 px-6 max-w-5xl mx-auto my-8 @6xl:border @6xl:rounded-lg bg-muted/10">
+			<div className="flex gap-2 items-center justify-between mb-2 mt-6">
+				<div className="flex gap-2 items-center">
+					<H3>Cloud API Tokens</H3>
+					<Badge variant="secondary">Beta</Badge>
+				</div>
+				<Button
+					className="min-w-32"
+					variant="outline"
+					onClick={() => openCreateApiToken()}
+					startIcon={<Icon icon={faPlus} />}
+				>
+					Create API Token
+				</Button>
+			</div>
+			<p className="mb-6 text-muted-foreground">
+				Cloud API tokens provide programmatic access to the Rivet Cloud API. Keep
+				them secure and never share them publicly.
+			</p>
+			<div className="border rounded-md">
+				{isLoading ? (
+					<div className="space-y-2 p-4">
+						<Skeleton className="w-full h-12" />
+						<Skeleton className="w-full h-12" />
+						<Skeleton className="w-full h-12" />
+					</div>
+				) : (
+					<Table>
+						<TableHeader>
+							<TableRow>
+								<TableHead>Name</TableHead>
+								<TableHead>Token</TableHead>
+								<TableHead>Created</TableHead>
+								<TableHead>Expires</TableHead>
+								<TableHead w="min" />
+							</TableRow>
+						</TableHeader>
+						<TableBody>
+							{data?.apiTokens.length === 0 ? (
+								<TableRow>
+									<TableCell
+										colSpan={5}
+										className="text-center py-8 text-muted-foreground"
+									>
+										No Cloud API tokens yet. Create one to get started.
+									</TableCell>
+								</TableRow>
+							) : (
+								data?.apiTokens.map((apiToken) => (
+									<ApiTokenRow
+										key={apiToken.id}
+										apiToken={apiToken}
+										dataProvider={dataProvider}
+									/>
+								))
+							)}
+						</TableBody>
+					</Table>
+				)}
+			</div>
+			<div className="space-y-4 mt-8">
+				<CodeGroup>
+					<CodeFrame
+						language="typescript"
+						title="Create Namespace"
+						code={() => `const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}",
+    "Content-Type": "application/json"
+  },
+  body: JSON.stringify({
+    displayName: "my-namespace"
+  })
+});
+
+const data = await response.json();
+console.log(data.namespace);`}
+					>
+						<CodePreview
+							className="w-full min-w-0"
+							language="typescript"
+							code={`const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}",
+    "Content-Type": "application/json"
+  },
+  body: JSON.stringify({
+    displayName: "my-namespace"
+  })
+});
+
+const data = await response.json();
+console.log(data.namespace);`}
+						/>
+					</CodeFrame>
+					<CodeFrame
+						language="typescript"
+						title="List Namespaces"
+						code={() => `const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces?org=${organization}&limit=10", {
+  method: "GET",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.namespaces);`}
+					>
+						<CodePreview
+							className="w-full min-w-0"
+							language="typescript"
+							code={`const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces?org=${organization}&limit=10", {
+  method: "GET",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.namespaces);`}
+						/>
+					</CodeFrame>
+					<CodeFrame
+						language="typescript"
+						title="Get Namespace"
+						code={() => `const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}?org=${organization}", {
+  method: "GET",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.namespace);`}
+					>
+						<CodePreview
+							className="w-full min-w-0"
+							language="typescript"
+							code={`const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}?org=${organization}", {
+  method: "GET",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.namespace);`}
+						/>
+					</CodeFrame>
+					<CodeFrame
+						language="typescript"
+						title="Create Runner Token"
+						code={() => `const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}/tokens/secret?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.token);`}
+					>
+						<CodePreview
+							className="w-full min-w-0"
+							language="typescript"
+							code={`const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}/tokens/secret?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.token);`}
+						/>
+					</CodeFrame>
+					<CodeFrame
+						language="typescript"
+						title="Create Client Token"
+						code={() => `const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}/tokens/publishable?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.token);`}
+					>
+						<CodePreview
+							className="w-full min-w-0"
+							language="typescript"
+							code={`const response = await fetch("${cloudApiUrl}/projects/${project}/namespaces/${namespace}/tokens/publishable?org=${organization}", {
+  method: "POST",
+  headers: {
+    "Authorization": "Bearer \${YOUR_CLOUD_API_TOKEN}"
+  }
+});
+
+const data = await response.json();
+console.log(data.token);`}
+						/>
+					</CodeFrame>
+				</CodeGroup>
+			</div>
+			{createApiTokenDialog}
+		</div>
+	);
+}
+
+interface ApiTokenRowProps {
+	apiToken: {
+		id: string;
+		name: string;
+		createdAt: string;
+		expiresAt?: string;
+		revoked: boolean;
+		lastFourChars: string;
+	};
+	dataProvider: ReturnType<
+		typeof useRouteContext<"/_context/_cloud/orgs/$organization/projects/$project">
+	>["dataProvider"];
+}
+
+function ApiTokenRow({ apiToken, dataProvider }: ApiTokenRowProps) {
+	const { mutate: revoke, isPending } = useMutation(
+		dataProvider.revokeApiTokenMutationOptions({
+			onSuccess: async () => {
+				await queryClient.invalidateQueries(
+					dataProvider.apiTokensQueryOptions(),
+				);
+			},
+		}),
+	);
+
+	const createdDate = new Date(apiToken.createdAt).toLocaleDateString();
+	const expiresDate = apiToken.expiresAt
+		? new Date(apiToken.expiresAt).toLocaleDateString()
+		: "Never";
+
+	return (
+		<TableRow className={apiToken.revoked ? "opacity-50" : ""}>
+			<TableCell>{apiToken.name}</TableCell>
+			<TableCell>
+				<code className="text-xs bg-muted px-2 py-1 rounded">
+					cloud_api_...{apiToken.lastFourChars}
+				</code>
+			</TableCell>
+			<TableCell>{createdDate}</TableCell>
+			<TableCell>{expiresDate}</TableCell>
+			<TableCell>
+				{!apiToken.revoked && (
+					<Button
+						variant="destructive"
+						size="sm"
+						isLoading={isPending}
+						onClick={() => {
+							revoke({ apiTokenId: apiToken.id });
+						}}
+					>
+						<Icon icon={faTrash} className="mr-1" />
+						Revoke
+					</Button>
+				)}
+				{apiToken.revoked && (
+					<span className="text-muted-foreground text-sm">Revoked</span>
+				)}
+			</TableCell>
+		</TableRow>
+	);
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d3c099fdfa..2dae23c7cb 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1637,8 +1637,8 @@ importers:
         specifier: ^1.2.3
         version: 1.2.3(@types/react-dom@19.2.2(@types/react@19.2.2))(@types/react@19.2.2)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
       '@rivet-gg/cloud':
-        specifier: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@1fcfb72
-        version: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@1fcfb72
+        specifier: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c
+        version: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c
       '@rivet-gg/icons':
         specifier: workspace:*
         version: link:packages/icons
@@ -6417,8 +6417,8 @@ packages:
   '@rivet-gg/api@25.5.3':
     resolution: {integrity: sha512-pj8xYQ+I/aQDbThmicPxvR+TWAzGoLSE53mbJi4QZHF8VH2oMvU7CMWqy7OTFH30DIRyVzsnHHRJZKGwtmQL3g==}
 
-  '@rivet-gg/cloud@https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@1fcfb72':
-    resolution: {tarball: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@1fcfb72}
+  '@rivet-gg/cloud@https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c':
+    resolution: {tarball: https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c}
     version: 0.0.0
 
   '@rivet-gg/cloud@https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@bf2ebb2':
@@ -18266,7 +18266,7 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  '@rivet-gg/cloud@https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@1fcfb72':
+  '@rivet-gg/cloud@https://pkg.pr.new/rivet-dev/cloud/@rivet-gg/cloud@11dea2c':
     dependencies:
       cross-fetch: 4.1.0
       form-data: 4.0.5