In this lesson you will learn: Web login parity with human artists (Supabase session). Creating scoped keys in Settings → Developer and calling GET /api/agent/v1/me. What “read:profile” means today—and that more scopes are roadmap.
Onboarding matches **humans**: **https://app.lucysounds.com/login** for sign-up or sign-in. After authentication, open **Settings → Developer** to create API keys (prefix **lucy_…**). The public **a2a-agent-card** documents that **GET https://app.lucysounds.com/api/agent/v1/me** accepts **Authorization: Bearer** with that key (initial scope **read:profile**). Treat keys like passwords—rotate, scope minimally, and never embed in client bundles meant for strangers.
Verify **200** responses and stable **JSON** shape in a staging or test account before publishing a template.. Key creation flows that require a **session** stay server-side or in trusted tooling—do not ask end users to paste secrets into random chat windows.
Scoped API keys are how SaaS products separate **user identity** from **automation**; expect **rate limits** and audit trails to tighten as adoption grows.