Keys
Per-organization API keys, scoped as narrowly as you need.
Keys are minted and revoked from the Keys page in your dashboard. Every key belongs to your organization and can optionally be scoped to a workspace or a single agent, so one leaked credential never exposes more than its scope.
How keys work
- Minting and revoking happen in the dashboard, gated on an owner or admin role. Every key row records who created it and shows only a masked display value after creation.
- The Gateway authenticates against an edge cache of key hashes. The full key is never stored, and the hot path never touches a database.
- Revocation propagates to the edge; a disabled key stops authenticating everywhere.
Spending caps
Caps attach to scopes, never pools:
- A key cap is a lifetime spend limit for that key.
- A workspace cap is a calendar-month limit for everything in the workspace.
When your wallet balance is exhausted, new requests receive a 402 with type
insufficient_quota. In-flight streams are never interrupted; only new
requests are gated.
Handling keys well
Read keys from the environment, never from source. If you build with a coding agent, install the Allocate skill, which carries the same rule.