Create API key (authenticated)

Returns the plaintext token exactly once — store it immediately, it cannot be re-derived. Requires an authenticated session or API key. The caller can only request scopes they themselves have: a session with ['read','stream'] cannot mint a key with 'admin'.