Summary

• Add Resend as a new app integration (API key auth)
• Implement the generic API key connection flow in the connect popup
• New POST /api/connections/[provider]/connect endpoint for API key submission
• Gateway host rule for api.resend.com with Bearer token injection

Details

This is the first api_key type app connection, proving the architecture supports non-OAuth providers alongside GitHub (OAuth) and Gmail (OAuth with refresh).

Web app:

• Resend app definition with API key field
• Connect popup renders a form for API key input instead of OAuth redirect
• API key stored as access_token in encrypted credentials (gateway picks it up automatically)

Gateway:

• Resend provider registered with api.resend.com host rule
• Bearer auth strategy (same as OAuth apps)
• No token refresh needed (API keys don't expire)

Test plan

• Resend appears in the Apps tab on the connections page
• Click Connect → popup shows API key form (not OAuth redirect)
• Enter API key → Connect → success → popup closes → shows Connected
• In test container: curl https://api.resend.com/domains returns data with injected Bearer token
• Disconnect and reconnect with different key