Generating API keys
API keys authenticate every call to the public agents API. A key is scoped to one workspace and inherits the role of the user who created it. Keys are created in the app — you can’t mint a key with a key.
Creating keys requires the workspace
adminrole. Agent endpoints also require an admin key.
Create a key
- Open API Keys
Go to Settings → Developer & Operations → API Keys. See Settings → API Keys.
- Create the key
Click Create API key. Give it a name (3–50 characters), an optional description, and an expiry (
15d,25d,45d,90d,6m, or1y). - Copy it immediately
The full key value (
sk_prod_…) is shown only once, for a few minutes. Copy it now — afterward only a masked preview is stored.
A key looks like:
sk_prod_3f9a1c7e2b8d4056a1c2e3f40516a7b8Use the key
Send it as a Bearer token on every request:
curl https://tmmate.ai/api/v1/capabilities \
-H "Authorization: Bearer sk_prod_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Store the key in an environment variable, never in source control or client-side code. Keys are stored hashed; treat one like a password.
Access levels
A key inherits its user’s workspace role:
| Tier | Who | Scope |
|---|---|---|
| Admin | The key’s user is a workspace admin | All agent and capability endpoints, plus knowledge-base management. |
| Member | Any workspace member with a valid key | Knowledge-base runtime (search, query, status, embeddings). |
Calling an admin endpoint with a non-admin key returns 403 FORBIDDEN. A missing, malformed, expired, or deactivated key returns 401 UNAUTHORIZED.
Lifecycle and rotation
- Expiry — keys stop working at the end of the window you chose.
- Rotation — create the new key, deploy it, then delete the old one. Multiple active keys per workspace are allowed.
- Revoke — deactivate or delete a leaked key from the same screen and create a new one.
Embedding an agent
Selecting a key for an agent’s embed code is a separate flow that reuses an existing workspace key rather than minting a per-agent key. See API key selection.