Admin SDK
The Admin SDK lets you programmatically create agents, provision wallets, and configure spending policies. It uses organization API keys (conto_xxx...) which operate at the org level, separate from the agent SDK keys used for payments.
Organization API Keys
Organization API keys authenticate at the org level and can manage all agents, wallets, and policies in the organization. They are different from agent SDK keys.| Org API Key | Agent SDK Key | |
|---|---|---|
| Format | conto_xxx... | conto_agent_xxx... |
| Scope | Entire organization | Single agent |
| Used for | Admin operations | Payment operations |
| SDK class | ContoAdmin | Conto |
Creating an Org API Key
Create Key
Click Create API Key, enter a name, and select a scope preset:
- Read Only - View agents, wallets, policies
- Standard - Read + write agents, wallets, policies
- Admin - Full access (Owner only)
Scopes
Org API keys use fine-grained scopes that control what the key can access:| Scope | Description |
|---|---|
agents:read | List and view agents |
agents:write | Create, update, delete, freeze/unfreeze agents |
wallets:read | List and view wallets |
wallets:write | Create, update, delete, provision wallets |
policies:read | List and view policies and rules |
policies:write | Create, update, delete policies, manage rules, assign to agents |
transactions:read | View transaction history |
counterparties:read | View counterparties |
counterparties:write | Create and update counterparties |
alerts:read | View alerts |
alerts:write | Acknowledge and resolve alerts |
analytics:read | View spending analytics |
audit:read | View audit logs |
Initialization
ContoAdmin rejects agent SDK keys (conto_agent_xxx). If you pass one, it throws an error telling you to use the Conto class instead.admin.agents
Manage the lifecycle of AI agents in your organization.agents.list()
List agents with optional filters.| Parameter | Type | Description |
|---|---|---|
status | string | Filter by status: ACTIVE, PAUSED, SUSPENDED, REVOKED, FROZEN |
search | string | Search by name or description |
limit | number | Results per page (1-100, default 50) |
offset | number | Pagination offset |
agents.create()
Create a new agent.| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Agent name (1-100 chars) |
agentType | string | Yes | OPENAI_ASSISTANT, ANTHROPIC_CLAUDE, LANGCHAIN, AUTOGPT, or CUSTOM |
description | string | No | Description (max 500 chars) |
publicKey | string | No | Ethereum address (auto-generated if omitted) |
externalId | string | No | Your own identifier for the agent |
agents.get()
agents.update()
agents.delete()
Soft-deletes an agent. Deactivates its SDK keys and wallet/card links.agents.freeze() / agents.unfreeze()
Freeze blocks all transactions for an agent. Unfreeze restores them.agents.linkWallet()
Link a wallet to an agent with spending limits.| Parameter | Type | Default | Description |
|---|---|---|---|
walletId | string | Required | Wallet to link |
delegationType | string | LIMITED | FULL, LIMITED, VIEW_ONLY, PREAPPROVED, ALLOWLIST |
spendLimitPerTx | number | 100 | Max per transaction |
spendLimitDaily | number | 1000 | Max per day |
spendLimitWeekly | number | - | Max per week |
spendLimitMonthly | number | - | Max per month |
allowedHoursStart | number | 0 | Allowed hours start (0-23) |
allowedHoursEnd | number | 24 | Allowed hours end (1-24) |
allowedDays | string[] | Mon-Fri | Allowed days of week |
agents.assignPolicy() / agents.unassignPolicy()
agents.listWallets() / agents.listPolicies()
agents.createSdkKey() / agents.listSdkKeys() / agents.revokeSdkKey()
Create agent SDK keys programmatically. The key value is returned only once.admin.wallets
Manage wallets across the organization.wallets.list()
| Parameter | Type | Description |
|---|---|---|
status | string | ACTIVE, FROZEN, ARCHIVED |
chainType | string | EVM or SOLANA |
chainId | string | Specific chain ID |
limit | number | Results per page (1-100, default 50) |
offset | number | Pagination offset |
wallets.create()
| Parameter | Type | Default | Description |
|---|---|---|---|
name | string | Required | Wallet name (1-100 chars) |
chainType | string | EVM | EVM or SOLANA |
chainId | string | - | Chain ID (defaults to Tempo testnet) |
custodyType | string | PRIVY | PRIVY, SPONGE, EXTERNAL, SMART_CONTRACT |
walletType | string | EOA | EOA, SMART_WALLET, MULTISIG |
wallets.get() / wallets.update() / wallets.delete()
wallets.provision()
Link a wallet to its custody provider and sync its onchain state.wallets.refreshBalance()
Fetch the latest balance from the chain.admin.policies
Create and manage spending policies and their rules.policies.list()
policies.create()
Create a policy with optional rules and agent assignments in one call.Policy Types
| Type | Description |
|---|---|
SPEND_LIMIT | Transaction and periodic spending limits |
APPROVAL_THRESHOLD | Require human approval above a threshold |
COUNTERPARTY | Allow/block specific counterparties |
CATEGORY | Allow/block spending categories |
GEOGRAPHIC | Country-based restrictions |
TIME_WINDOW | Time-of-day restrictions |
VELOCITY | Transaction frequency limits |
WHITELIST | Allowlist-only recipients |
CONTRACT_ALLOWLIST | Allowed smart contracts |
BLACKOUT_PERIOD | Block transactions during specific periods |
BUDGET_ALLOCATION | Budget cap enforcement |
EXPIRATION | Date-range validity |
COMPOSITE | Combine multiple rule types |
MERCHANT | Merchant category restrictions |
policies.get() / policies.update() / policies.delete()
Rule Management
Add, update, and remove individual rules on a policy.Rule Operators
| Operator | Description |
|---|---|
EQUALS | Exact match |
NOT_EQUALS | Not equal |
GREATER_THAN | Greater than |
LESS_THAN | Less than |
GTE | Greater than or equal |
LTE | Less than or equal |
IN / IN_LIST | Value is in list |
NOT_IN / NOT_IN_LIST | Value is not in list |
BETWEEN | Value is between two bounds |
NOT_BETWEEN | Value is outside bounds |
DENY | Always deny |
Rule Actions
| Action | Description |
|---|---|
ALLOW | Allow if condition met (default) |
DENY | Block if condition met |
REQUIRE_APPROVAL | Require human approval if condition met |
Complete Example
Provision a new agent from scratch:Security
Org keys are powerful. Treat them accordingly.
Org keys are powerful. Treat them accordingly.
Org API keys can manage all agents and wallets in the organization. Store them in a secrets manager (AWS Secrets Manager, Vault, etc.), never in source control. Use the minimum scope needed for the task.
Use scoped keys for CI/CD
Use scoped keys for CI/CD
Create keys with only the scopes your pipeline needs. A deployment script that provisions agents only needs
agents:write, wallets:write, and policies:write.Rotate keys regularly
Rotate keys regularly
Set expiration when creating keys. When rotating:
- Create a new key
- Update your secrets
- Deploy
- Revoke the old key
All actions are audit-logged
All actions are audit-logged
Every operation made with an org API key is recorded in the audit log with actor type
API_KEY and the key ID. Review audit logs in the dashboard under Audit Logs.Limitations
Org API keys cannot:- Access the super admin panel (
/api/admin/*) - Change billing plans
- Rotate encryption keys
- Manage feature flags
Error Handling
| Error Code | Status | Description |
|---|---|---|
AUTH_FAILED | 401 | Invalid or revoked API key |
INSUFFICIENT_SCOPE | 403 | Key lacks required scope |
NOT_FOUND | 404 | Resource not found |
VALIDATION_FAILED | 400 | Invalid request body |
TIMEOUT | 0 | Request timed out |
Next Steps
Policies
Learn about the policy engine and all rule types
Authentication
Agent SDK keys and scopes
Payments
Making payments with agent SDK keys
CLI Policies
Manage policies from the command line