diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts
index 0a030eb..fd54c83 100644
--- a/apps/api/src/routes/auth.ts
+++ b/apps/api/src/routes/auth.ts
@@ -141,7 +141,8 @@ export const account = new Elysia({ prefix: "/account" })
     };
   })
 
-  .post("/email", async ({ accountId, body }) => {
+  .post("/email", async ({ accountId, keyId, body, error }) => {
+    if (keyId) return error(403, { error: "Sub-keys cannot modify account email" });
     const emailHash = body.email ? hashEmail(body.email) : null;
     await sql`UPDATE accounts SET email_hash = ${emailHash} WHERE id = ${accountId}`;
     return { ok: true };
@@ -151,14 +152,16 @@ export const account = new Elysia({ prefix: "/account" })
     }),
   })
 
-  .post("/reset-key", async ({ accountId, cookie }) => {
+  .post("/reset-key", async ({ accountId, keyId, cookie, error }) => {
+    if (keyId) return error(403, { error: "Sub-keys cannot rotate the account key" });
     const key = generateKey();
     await sql`UPDATE accounts SET key = ${key} WHERE id = ${accountId}`;
     cookie.pingql_key.set({ value: key, ...COOKIE_OPTS });
     return { key, message: "Primary key rotated. Your old key is now invalid." };
   })
 
-  .post("/keys", async ({ accountId, body }) => {
+  .post("/keys", async ({ accountId, keyId, body, error }) => {
+    if (keyId) return error(403, { error: "Sub-keys cannot create other sub-keys" });
     const key = generateKey();
     const [created] = await sql`INSERT INTO api_keys (key, account_id, label) VALUES (${key}, ${accountId}, ${body.label}) RETURNING id`;
     return { key, id: created.id, label: body.label };
@@ -168,7 +171,8 @@ export const account = new Elysia({ prefix: "/account" })
     }),
   })
 
-  .delete("/keys/:id", async ({ accountId, params, error }) => {
+  .delete("/keys/:id", async ({ accountId, keyId, params, error }) => {
+    if (keyId) return error(403, { error: "Sub-keys cannot revoke other sub-keys" });
     const [deleted] = await sql`
       DELETE FROM api_keys WHERE id = ${params.id} AND account_id = ${accountId} RETURNING id
     `;
diff --git a/apps/web/src/views/settings.ejs b/apps/web/src/views/settings.ejs
index 89f3d58..ecb6746 100644
--- a/apps/web/src/views/settings.ejs
+++ b/apps/web/src/views/settings.ejs
@@ -31,7 +31,8 @@
       </div>
     </section>
 
-    <!-- Email -->
+    <!-- Email (hidden for sub-key sessions) -->
+    <% if (!it.isSubKey) { %>
     <section class="bg-gray-900 rounded-xl border border-gray-800 p-6">
       <h2 class="text-sm font-semibold text-gray-300 mb-1">Recovery Email</h2>
       <p class="text-xs text-gray-600 mb-4">Used for account recovery only. Stored as a one-way hash — we can't read it.</p>
@@ -44,6 +45,7 @@
       </div>
       <p id="email-status" class="text-xs mt-2 hidden"></p>
     </section>
+    <% } %>