diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index 2afb750..2fbefb9 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.57.0"
+  ".": "0.58.0"
 }
\ No newline at end of file
diff --git a/.stats.yml b/.stats.yml
index 47ab7c1..3cfc09d 100644
--- a/.stats.yml
+++ b/.stats.yml
@@ -1,4 +1,4 @@
-configured_endpoints: 112
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-e9c99662d29710f105847d461f8919e06f6aa2e43b0e1a6285d0b137643a7907.yml
-openapi_spec_hash: 4415cb4790c7a5ec892f4e3521217cb4
-config_hash: 27b38657d9a3b33328be930eeb319628
+configured_endpoints: 117
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-3b34d85c005a4058ac1faaea092615af577d12cee6e420f102de57339251672d.yml
+openapi_spec_hash: fad386b8e8712e6639ed9689e9dfc070
+config_hash: 0f222358f24700d1811c5d27078a3849
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cdfd6f3..065f2bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.58.0 (2026-05-27)
+
+Full Changelog: [v0.57.0...v0.58.0](https://github.com/kernel/kernel-go-sdk/compare/v0.57.0...v0.58.0)
+
+### Features
+
+* [codex] Expose API keys in SDK config ([bfed2b8](https://github.com/kernel/kernel-go-sdk/commit/bfed2b81450681bb0a053d233f2cc1ecf65762c8))
+* Fix API key request model SDK metadata ([ebc9f45](https://github.com/kernel/kernel-go-sdk/commit/ebc9f45e57aef38964be31942fcf0e8ad554b37b))
+* Support telemetry enabled request config and fix SDK metadata ([53bff5e](https://github.com/kernel/kernel-go-sdk/commit/53bff5ecd62bda11e2fac6db87e0ffaec3edad44))
+
+
+### Chores
+
+* refresh Go SDK release PR ([fe23a23](https://github.com/kernel/kernel-go-sdk/commit/fe23a23c3918c8ee086ecca4e9f9915d57b439b9))
+
 ## 0.57.0 (2026-05-26)
 
 Full Changelog: [v0.56.0...v0.57.0](https://github.com/kernel/kernel-go-sdk/compare/v0.56.0...v0.57.0)
diff --git a/README.md b/README.md
index c26afe8..12b1b42 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Or to pin the version:
 <!-- x-release-please-start-version -->
 
 ```sh
-go get -u 'github.com/kernel/kernel-go-sdk@v0.57.0'
+go get -u 'github.com/kernel/kernel-go-sdk@v0.58.0'
 ```
 
 <!-- x-release-please-end -->
diff --git a/api.md b/api.md
index 4dd5991..ecda83d 100644
--- a/api.md
+++ b/api.md
@@ -95,7 +95,6 @@ Params Types:
 
 - <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserTelemetryCategoriesConfigParam">BrowserTelemetryCategoriesConfigParam</a>
 - <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserTelemetryCategoryConfigParam">BrowserTelemetryCategoryConfigParam</a>
-- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#BrowserTelemetryRequestConfigParam">BrowserTelemetryRequestConfigParam</a>
 
 Response Types:
 
@@ -388,6 +387,21 @@ Methods:
 - <code title="get /org/projects/{id}/limits">client.Projects.Limits.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#ProjectLimitService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#ProjectLimits">ProjectLimits</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="patch /org/projects/{id}/limits">client.Projects.Limits.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#ProjectLimitService.Update">Update</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#ProjectLimitUpdateParams">ProjectLimitUpdateParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#ProjectLimits">ProjectLimits</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 
+# APIKeys
+
+Response Types:
+
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKey">APIKey</a>
+- <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CreatedAPIKey">CreatedAPIKey</a>
+
+Methods:
+
+- <code title="post /org/api_keys">client.APIKeys.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyService.New">New</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyNewParams">APIKeyNewParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#CreatedAPIKey">CreatedAPIKey</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="get /org/api_keys/{id}">client.APIKeys.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKey">APIKey</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="patch /org/api_keys/{id}">client.APIKeys.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyService.Update">Update</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>, body <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyUpdateParams">APIKeyUpdateParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKey">APIKey</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="get /org/api_keys">client.APIKeys.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyService.List">List</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, query <a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyListParams">APIKeyListParams</a>) (\*<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination">pagination</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk/packages/pagination#OffsetPagination">OffsetPagination</a>[<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk">kernel</a>.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKey">APIKey</a>], <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="delete /org/api_keys/{id}">client.APIKeys.<a href="https://pkg.go.dev/github.com/kernel/kernel-go-sdk#APIKeyService.Delete">Delete</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, id <a href="https://pkg.go.dev/builtin#string">string</a>) <a href="https://pkg.go.dev/builtin#error">error</a></code>
+
 # CredentialProviders
 
 Params Types:
diff --git a/apikey.go b/apikey.go
new file mode 100644
index 0000000..5b42fa1
--- /dev/null
+++ b/apikey.go
@@ -0,0 +1,239 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+package kernel
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"time"
+
+	"github.com/kernel/kernel-go-sdk/internal/apijson"
+	"github.com/kernel/kernel-go-sdk/internal/apiquery"
+	"github.com/kernel/kernel-go-sdk/internal/requestconfig"
+	"github.com/kernel/kernel-go-sdk/option"
+	"github.com/kernel/kernel-go-sdk/packages/pagination"
+	"github.com/kernel/kernel-go-sdk/packages/param"
+	"github.com/kernel/kernel-go-sdk/packages/respjson"
+)
+
+// Create and manage API keys for organization and project-scoped access.
+//
+// APIKeyService contains methods and other services that help with interacting
+// with the kernel API.
+//
+// Note, unlike clients, this service does not read variables from the environment
+// automatically. You should not instantiate this service directly, and instead use
+// the [NewAPIKeyService] method instead.
+type APIKeyService struct {
+	Options []option.RequestOption
+}
+
+// NewAPIKeyService generates a new service that applies the given options to each
+// request. These options are applied after the parent client's options (if there
+// is one), and before any request-specific options.
+func NewAPIKeyService(opts ...option.RequestOption) (r APIKeyService) {
+	r = APIKeyService{}
+	r.Options = opts
+	return
+}
+
+// Create a new API key within the authenticated organization.
+func (r *APIKeyService) New(ctx context.Context, body APIKeyNewParams, opts ...option.RequestOption) (res *CreatedAPIKey, err error) {
+	opts = slices.Concat(r.Options, opts)
+	path := "org/api_keys"
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, body, &res, opts...)
+	return res, err
+}
+
+// Retrieve an API key by ID for the authenticated organization. API keys are
+// masked.
+func (r *APIKeyService) Get(ctx context.Context, id string, opts ...option.RequestOption) (res *APIKey, err error) {
+	opts = slices.Concat(r.Options, opts)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return nil, err
+	}
+	path := fmt.Sprintf("org/api_keys/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, nil, &res, opts...)
+	return res, err
+}
+
+// Update an API key's name.
+func (r *APIKeyService) Update(ctx context.Context, id string, body APIKeyUpdateParams, opts ...option.RequestOption) (res *APIKey, err error) {
+	opts = slices.Concat(r.Options, opts)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return nil, err
+	}
+	path := fmt.Sprintf("org/api_keys/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPatch, path, body, &res, opts...)
+	return res, err
+}
+
+// List API keys for the authenticated organization. API keys are masked.
+func (r *APIKeyService) List(ctx context.Context, query APIKeyListParams, opts ...option.RequestOption) (res *pagination.OffsetPagination[APIKey], err error) {
+	var raw *http.Response
+	opts = slices.Concat(r.Options, opts)
+	opts = append([]option.RequestOption{option.WithResponseInto(&raw)}, opts...)
+	path := "org/api_keys"
+	cfg, err := requestconfig.NewRequestConfig(ctx, http.MethodGet, path, query, &res, opts...)
+	if err != nil {
+		return nil, err
+	}
+	err = cfg.Execute()
+	if err != nil {
+		return nil, err
+	}
+	res.SetPageConfig(cfg, raw)
+	return res, nil
+}
+
+// List API keys for the authenticated organization. API keys are masked.
+func (r *APIKeyService) ListAutoPaging(ctx context.Context, query APIKeyListParams, opts ...option.RequestOption) *pagination.OffsetPaginationAutoPager[APIKey] {
+	return pagination.NewOffsetPaginationAutoPager(r.List(ctx, query, opts...))
+}
+
+// Delete an API key.
+func (r *APIKeyService) Delete(ctx context.Context, id string, opts ...option.RequestOption) (err error) {
+	opts = slices.Concat(r.Options, opts)
+	opts = append([]option.RequestOption{option.WithHeader("Accept", "*/*")}, opts...)
+	if id == "" {
+		err = errors.New("missing required id parameter")
+		return err
+	}
+	path := fmt.Sprintf("org/api_keys/%s", id)
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodDelete, path, nil, nil, opts...)
+	return err
+}
+
+type APIKey struct {
+	// Unique API key identifier
+	ID string `json:"id" api:"required"`
+	// When the API key was created
+	CreatedAt time.Time       `json:"created_at" api:"required" format:"date-time"`
+	CreatedBy APIKeyCreatedBy `json:"created_by" api:"required"`
+	// When the API key expires
+	ExpiresAt time.Time `json:"expires_at" api:"required" format:"date-time"`
+	// Masked version of the API key
+	MaskedKey string `json:"masked_key" api:"required"`
+	// API key name
+	Name string `json:"name" api:"required"`
+	// Project identifier for project-scoped API keys. Null means org-wide.
+	ProjectID string `json:"project_id" api:"required"`
+	// Project name for project-scoped API keys. Null means the key is org-wide or the
+	// project name is unavailable.
+	ProjectName string `json:"project_name" api:"required"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		ID          respjson.Field
+		CreatedAt   respjson.Field
+		CreatedBy   respjson.Field
+		ExpiresAt   respjson.Field
+		MaskedKey   respjson.Field
+		Name        respjson.Field
+		ProjectID   respjson.Field
+		ProjectName respjson.Field
+		ExtraFields map[string]respjson.Field
+		raw         string
+	} `json:"-"`
+}
+
+// Returns the unmodified JSON received from the API
+func (r APIKey) RawJSON() string { return r.JSON.raw }
+func (r *APIKey) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type APIKeyCreatedBy struct {
+	// Kernel user ID of the creator.
+	ID string `json:"id" api:"required"`
+	// Email address of the creator.
+	Email string `json:"email" api:"required" format:"email"`
+	// Display name of the creator, if available.
+	Name string `json:"name" api:"required"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		ID          respjson.Field
+		Email       respjson.Field
+		Name        respjson.Field
+		ExtraFields map[string]respjson.Field
+		raw         string
+	} `json:"-"`
+}
+
+// Returns the unmodified JSON received from the API
+func (r APIKeyCreatedBy) RawJSON() string { return r.JSON.raw }
+func (r *APIKeyCreatedBy) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+// API key returned immediately after creation. Includes the plaintext key once.
+type CreatedAPIKey struct {
+	// Plaintext API key. Only returned once when the key is created.
+	Key string `json:"key" api:"required"`
+	// JSON contains metadata for fields, check presence with [respjson.Field.Valid].
+	JSON struct {
+		Key         respjson.Field
+		ExtraFields map[string]respjson.Field
+		raw         string
+	} `json:"-"`
+	APIKey
+}
+
+// Returns the unmodified JSON received from the API
+func (r CreatedAPIKey) RawJSON() string { return r.JSON.raw }
+func (r *CreatedAPIKey) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type APIKeyNewParams struct {
+	// API key name (1-255 characters)
+	Name string `json:"name" api:"required"`
+	// Number of days until expiry, up to 3650. Use null for never.
+	DaysToExpire param.Opt[int64] `json:"days_to_expire,omitzero"`
+	// Unique project identifier
+	ProjectID param.Opt[string] `json:"project_id,omitzero"`
+	paramObj
+}
+
+func (r APIKeyNewParams) MarshalJSON() (data []byte, err error) {
+	type shadow APIKeyNewParams
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *APIKeyNewParams) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type APIKeyUpdateParams struct {
+	// New API key name
+	Name string `json:"name" api:"required"`
+	paramObj
+}
+
+func (r APIKeyUpdateParams) MarshalJSON() (data []byte, err error) {
+	type shadow APIKeyUpdateParams
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *APIKeyUpdateParams) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+type APIKeyListParams struct {
+	// Maximum number of results to return
+	Limit param.Opt[int64] `query:"limit,omitzero" json:"-"`
+	// Number of results to skip
+	Offset param.Opt[int64] `query:"offset,omitzero" json:"-"`
+	paramObj
+}
+
+// URLQuery serializes [APIKeyListParams]'s query parameters as `url.Values`.
+func (r APIKeyListParams) URLQuery() (v url.Values, err error) {
+	return apiquery.MarshalWithSettings(r, apiquery.QuerySettings{
+		ArrayFormat:  apiquery.ArrayQueryFormatComma,
+		NestedFormat: apiquery.NestedQueryFormatBrackets,
+	})
+}
diff --git a/apikey_test.go b/apikey_test.go
new file mode 100644
index 0000000..0d1c843
--- /dev/null
+++ b/apikey_test.go
@@ -0,0 +1,142 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+package kernel_test
+
+import (
+	"context"
+	"errors"
+	"os"
+	"testing"
+
+	"github.com/kernel/kernel-go-sdk"
+	"github.com/kernel/kernel-go-sdk/internal/testutil"
+	"github.com/kernel/kernel-go-sdk/option"
+)
+
+func TestAPIKeyNewWithOptionalParams(t *testing.T) {
+	t.Skip("Mock server tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.APIKeys.New(context.TODO(), kernel.APIKeyNewParams{
+		Name:         "staging",
+		DaysToExpire: kernel.Int(30),
+		ProjectID:    kernel.String("proj_abc123"),
+	})
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestAPIKeyGet(t *testing.T) {
+	t.Skip("Mock server tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.APIKeys.Get(context.TODO(), "id")
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestAPIKeyUpdate(t *testing.T) {
+	t.Skip("Mock server tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.APIKeys.Update(
+		context.TODO(),
+		"id",
+		kernel.APIKeyUpdateParams{
+			Name: "new-api-name",
+		},
+	)
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestAPIKeyListWithOptionalParams(t *testing.T) {
+	t.Skip("Mock server tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	_, err := client.APIKeys.List(context.TODO(), kernel.APIKeyListParams{
+		Limit:  kernel.Int(100),
+		Offset: kernel.Int(0),
+	})
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
+func TestAPIKeyDelete(t *testing.T) {
+	t.Skip("Mock server tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := kernel.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithAPIKey("My API Key"),
+	)
+	err := client.APIKeys.Delete(context.TODO(), "id")
+	if err != nil {
+		var apierr *kernel.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
diff --git a/browser.go b/browser.go
index 6a47eb5..f03b6f8 100644
--- a/browser.go
+++ b/browser.go
@@ -660,6 +660,12 @@ type BrowserNewParams struct {
 	// check for inactivity every 5 seconds, so the actual timeout behavior you will
 	// see is +/- 5 seconds around the specified value.
 	TimeoutSeconds param.Opt[int64] `json:"timeout_seconds,omitzero"`
+	// Telemetry configuration for the browser session. Set enabled to true to start
+	// capture using VM defaults, or provide browser category settings. If omitted,
+	// null, set to an empty object ({}), set to enabled: false without browser
+	// category settings, or all four categories are explicitly disabled, capture is
+	// not started.
+	Telemetry BrowserNewParamsTelemetry `json:"telemetry,omitzero"`
 	// Custom Chrome enterprise policy overrides applied to this browser session. Keys
 	// are Chrome enterprise policy names; values must match their expected types.
 	// Blocked: kernel-managed policies (extensions, proxy, CDP/automation). See
@@ -671,12 +677,6 @@ type BrowserNewParams struct {
 	// specified, the matching profile will be loaded into the browser session.
 	// Profiles must be created beforehand.
 	Profile shared.BrowserProfileParam `json:"profile,omitzero"`
-	// Telemetry configuration for the browser session. Set enabled to true to start
-	// capture using VM defaults, or provide browser category settings. If omitted,
-	// null, set to an empty object ({}), set to enabled: false without browser
-	// category settings, or all four categories are explicitly disabled, capture is
-	// not started.
-	Telemetry BrowserTelemetryRequestConfigParam `json:"telemetry,omitzero"`
 	// Initial browser window size in pixels with optional refresh rate. If omitted,
 	// image defaults apply (1920x1080@25). For GPU images, the default is
 	// 1920x1080@60. Arbitrary viewport dimensions and refresh rates are accepted.
@@ -701,6 +701,32 @@ func (r *BrowserNewParams) UnmarshalJSON(data []byte) error {
 	return apijson.UnmarshalRoot(data, r)
 }
 
+// Telemetry configuration for the browser session. Set enabled to true to start
+// capture using VM defaults, or provide browser category settings. If omitted,
+// null, set to an empty object ({}), set to enabled: false without browser
+// category settings, or all four categories are explicitly disabled, capture is
+// not started.
+type BrowserNewParamsTelemetry struct {
+	// Request shortcut for browser telemetry capture. True enables capture using VM
+	// defaults unless browser category settings are provided. False stops capture on
+	// update and starts no capture on create. enabled=false cannot be combined with
+	// browser category settings.
+	Enabled param.Opt[bool] `json:"enabled,omitzero"`
+	// Per-category enable/disable flags. If enabled is true and browser is omitted or
+	// empty, the VM default category set is used. Explicitly disabling all four
+	// categories stops capture on update and starts no capture on create.
+	Browser BrowserTelemetryCategoriesConfigParam `json:"browser,omitzero"`
+	paramObj
+}
+
+func (r BrowserNewParamsTelemetry) MarshalJSON() (data []byte, err error) {
+	type shadow BrowserNewParamsTelemetry
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *BrowserNewParamsTelemetry) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
 type BrowserGetParams struct {
 	// When true, includes soft-deleted browser sessions in the lookup.
 	IncludeDeleted param.Opt[bool] `query:"include_deleted,omitzero" json:"-"`
@@ -722,15 +748,15 @@ type BrowserUpdateParams struct {
 	// If true, stealth browsers connect directly instead of using the default stealth
 	// proxy.
 	DisableDefaultProxy param.Opt[bool] `json:"disable_default_proxy,omitzero"`
-	// Profile to load into the browser session. Only allowed if the session does not
-	// already have a profile loaded.
-	Profile shared.BrowserProfileParam `json:"profile,omitzero"`
 	// Telemetry configuration. Omit, set to null, or set to an empty object ({}) to
 	// leave the existing configuration unchanged. Set enabled to true to enable
 	// capture using VM defaults. Set enabled to false to stop capture. Provide browser
 	// category settings for per-category updates. Explicitly disabling all four
 	// categories also stops capture.
-	Telemetry BrowserTelemetryRequestConfigParam `json:"telemetry,omitzero"`
+	Telemetry BrowserUpdateParamsTelemetry `json:"telemetry,omitzero"`
+	// Profile to load into the browser session. Only allowed if the session does not
+	// already have a profile loaded.
+	Profile shared.BrowserProfileParam `json:"profile,omitzero"`
 	// Viewport configuration to apply to the browser session.
 	Viewport BrowserUpdateParamsViewport `json:"viewport,omitzero"`
 	paramObj
@@ -744,6 +770,32 @@ func (r *BrowserUpdateParams) UnmarshalJSON(data []byte) error {
 	return apijson.UnmarshalRoot(data, r)
 }
 
+// Telemetry configuration. Omit, set to null, or set to an empty object ({}) to
+// leave the existing configuration unchanged. Set enabled to true to enable
+// capture using VM defaults. Set enabled to false to stop capture. Provide browser
+// category settings for per-category updates. Explicitly disabling all four
+// categories also stops capture.
+type BrowserUpdateParamsTelemetry struct {
+	// Request shortcut for browser telemetry capture. True enables capture using VM
+	// defaults unless browser category settings are provided. False stops capture on
+	// update and starts no capture on create. enabled=false cannot be combined with
+	// browser category settings.
+	Enabled param.Opt[bool] `json:"enabled,omitzero"`
+	// Per-category enable/disable flags. If enabled is true and browser is omitted or
+	// empty, the VM default category set is used. Explicitly disabling all four
+	// categories stops capture on update and starts no capture on create.
+	Browser BrowserTelemetryCategoriesConfigParam `json:"browser,omitzero"`
+	paramObj
+}
+
+func (r BrowserUpdateParamsTelemetry) MarshalJSON() (data []byte, err error) {
+	type shadow BrowserUpdateParamsTelemetry
+	return param.MarshalObject(r, (*shadow)(&r))
+}
+func (r *BrowserUpdateParamsTelemetry) UnmarshalJSON(data []byte) error {
+	return apijson.UnmarshalRoot(data, r)
+}
+
 // Viewport configuration to apply to the browser session.
 type BrowserUpdateParamsViewport struct {
 	// If true, allow the viewport change even when a live view or recording/replay is
diff --git a/browser_test.go b/browser_test.go
index 1d3f6c4..e56f1b8 100644
--- a/browser_test.go
+++ b/browser_test.go
@@ -49,7 +49,7 @@ func TestBrowserNewWithOptionalParams(t *testing.T) {
 		ProxyID:  kernel.String("proxy_id"),
 		StartURL: kernel.String("https://example.com"),
 		Stealth:  kernel.Bool(true),
-		Telemetry: kernel.BrowserTelemetryRequestConfigParam{
+		Telemetry: kernel.BrowserNewParamsTelemetry{
 			Browser: kernel.BrowserTelemetryCategoriesConfigParam{
 				Console: kernel.BrowserTelemetryCategoryConfigParam{
 					Enabled: kernel.Bool(true),
@@ -135,7 +135,7 @@ func TestBrowserUpdateWithOptionalParams(t *testing.T) {
 				SaveChanges: kernel.Bool(true),
 			},
 			ProxyID: kernel.String("proxy_id"),
-			Telemetry: kernel.BrowserTelemetryRequestConfigParam{
+			Telemetry: kernel.BrowserUpdateParamsTelemetry{
 				Browser: kernel.BrowserTelemetryCategoriesConfigParam{
 					Console: kernel.BrowserTelemetryCategoryConfigParam{
 						Enabled: kernel.Bool(true),
diff --git a/browsertelemetry.go b/browsertelemetry.go
index 093cefa..d4e02f8 100644
--- a/browsertelemetry.go
+++ b/browsertelemetry.go
@@ -2082,27 +2082,6 @@ func (r *BrowserTelemetryEventUnionData) UnmarshalJSON(data []byte) error {
 	return apijson.UnmarshalRoot(data, r)
 }
 
-// Telemetry request configuration for a browser session.
-type BrowserTelemetryRequestConfigParam struct {
-	// Request shortcut for browser telemetry capture. True enables capture using VM
-	// defaults. False stops capture on update and starts no capture on create. Cannot
-	// be combined with browser category settings.
-	Enabled param.Opt[bool] `json:"enabled,omitzero"`
-	// Per-category enable/disable flags. If enabled is true and browser is omitted or
-	// empty, the VM default category set is used. Explicitly disabling all four
-	// categories stops capture on update and starts no capture on create.
-	Browser BrowserTelemetryCategoriesConfigParam `json:"browser,omitzero"`
-	paramObj
-}
-
-func (r BrowserTelemetryRequestConfigParam) MarshalJSON() (data []byte, err error) {
-	type shadow BrowserTelemetryRequestConfigParam
-	return param.MarshalObject(r, (*shadow)(&r))
-}
-func (r *BrowserTelemetryRequestConfigParam) UnmarshalJSON(data []byte) error {
-	return apijson.UnmarshalRoot(data, r)
-}
-
 // Envelope wrapping a browser telemetry event with its monotonic sequence number.
 // Each SSE data: frame carries one envelope as JSON. The seq value is also emitted
 // as the SSE id: field so clients can pass it as Last-Event-ID on reconnect.
diff --git a/client.go b/client.go
index 27982b8..5060e16 100644
--- a/client.go
+++ b/client.go
@@ -42,6 +42,8 @@ type Client struct {
 	Credentials CredentialService
 	// Create and manage projects for resource isolation within an organization.
 	Projects ProjectService
+	// Create and manage API keys for organization and project-scoped access.
+	APIKeys APIKeyService
 	// Configure external credential providers like 1Password.
 	CredentialProviders CredentialProviderService
 }
@@ -92,6 +94,7 @@ func NewClient(opts ...option.RequestOption) (r Client) {
 	r.BrowserPools = NewBrowserPoolService(opts...)
 	r.Credentials = NewCredentialService(opts...)
 	r.Projects = NewProjectService(opts...)
+	r.APIKeys = NewAPIKeyService(opts...)
 	r.CredentialProviders = NewCredentialProviderService(opts...)
 
 	return
diff --git a/internal/version.go b/internal/version.go
index dca821f..b02ed08 100644
--- a/internal/version.go
+++ b/internal/version.go
@@ -2,4 +2,4 @@
 
 package internal
 
-const PackageVersion = "0.57.0" // x-release-please-version
+const PackageVersion = "0.58.0" // x-release-please-version