API keys
How keys work, how to manage them, and what's coming for programmatic key management.
API keys are issued and revoked through the Console, not the API. This page documents the model; programmatic key endpoints are on the near-term roadmap.
Anatomy of a key
text
jett_sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
│ │ │ └─────────── 32-char random secret
│ │ └────────────── live | test (test ships with the production deploy)
│ └──────────────── sk = secret key
└────────────────── jett = Jettson prefixThe full key value is only shown at creation. We store a SHA-256 hash; revealing a key is impossible by design.
What a key is allowed to do
A key authenticates as the account owner. It can:
- Start, list, get, and stop agents
- Read, write, search, and bulk-export memories
- Use every built-in tool inside a running agent's computer
It cannot:
- Manage other API keys
- Manage billing
- Access another account's data (server-side validation by
userId)
Managing keys
In the Console at /console/api-keys:
- Create — name the key, copy the value once, get on with your day.
- Revoke — flips
revokedAt. Subsequent requests with the revoked key return401. There's no propagation delay. - History — every key (including revoked ones) stays in your audit log with creation and last-used timestamps.
Recommended hygiene
Coming soon
| | |
| --- | --- |
| Programmatic create/revoke endpoints | Lets you mint per-user keys from your app |
| Per-key scopes | "This key can only call /api/v1/memory/*" |
| Per-key rate-limit overrides | For internal services that need a higher cap |
Related
- Authentication
- Rate limits — rate buckets are per-key