When an Admin created an API key, the key hash is displayed in plain text in Admin > Logs and viewable by me (moderator). While most users won’t have access to the Admin > Logs, I’d still expect values like that to be further restricted.
Yep. We just did a quick test on latest tests-passed and everything looks fine. You will see the truncated key and the key hash, but the actual API key is not visible in the logs.