Skip to main content

Documentation Index

Fetch the complete documentation index at: https://conto.finance/docs/llms.txt

Use this file to discover all available pages before exploring further.

Admin SDK

The Admin SDK lets you programmatically create agents, provision wallets, and configure spending policies. It uses organization API keys (conto_xxx...) which operate at the org level, separate from the agent SDK keys used for payments. 
import { ContoAdmin } from '@conto/sdk';

const admin = new ContoAdmin({
  orgApiKey: process.env.CONTO_ORG_API_KEY!,
});

// Create a policy, create an agent, wire them together
const policy = await admin.policies.create({
  name: 'Daily $500 limit',
  policyType: 'SPEND_LIMIT',
  rules: [{ ruleType: 'DAILY_LIMIT', operator: 'LTE', value: '500' }],
});

const agent = await admin.agents.create({
  name: 'billing-agent',
  agentType: 'CUSTOM',
});

await admin.agents.assignPolicy(agent.id, policy.id);

Organization API Keys

Organization API keys authenticate at the org level and can manage all agents, wallets, and policies in the organization. They are different from agent SDK keys.
Org API KeyAgent SDK Key
Formatconto_xxx...conto_agent_xxx...
ScopeEntire organizationSingle agent
Used forAdmin operationsPayment operations
SDK classContoAdminConto

Creating an Org API Key

1

Go to Settings

Navigate to Settings > API Keys in the dashboard.
2

Create Key

Click Create API Key, enter a name, and select a scope preset:
  • Read Only - View agents, wallets, policies
  • Standard - Read + write agents, wallets, policies, plus membership lookup for ownership flows
  • Admin - Full access (Owner only)
3

Copy the Key

Copy and save the key immediately. It is only shown once.

Scopes

Org API keys use fine-grained scopes that control what the key can access:
ScopeDescription
agents:readList and view agents
agents:writeCreate, update, delete, freeze/unfreeze agents
wallets:readList and view wallets
wallets:writeCreate, update, delete, provision wallets
policies:readList and view policies and rules
policies:writeCreate, update, delete policies, manage rules, assign to agents
transactions:readView transaction history
counterparties:readView counterparties
counterparties:writeCreate and update counterparties
alerts:readView alerts
alerts:writeAcknowledge and resolve alerts
analytics:readView spending analytics
audit:readView audit logs
team:readList organization memberships and ownership candidates

Initialization

import { ContoAdmin } from '@conto/sdk';

const admin = new ContoAdmin({
  orgApiKey: process.env.CONTO_ORG_API_KEY!,
  timeout: 30000,  // Optional, 30s default
});
ContoAdmin rejects agent SDK keys (conto_agent_xxx). If you pass one, it throws an error telling you to use the Conto class instead.

admin.agents

Manage the lifecycle of AI agents in your organization.

agents.list()

List agents with optional filters. 
const { agents, total } = await admin.agents.list({
  status: 'ACTIVE',
  search: 'billing',
  limit: 20,
  offset: 0,
});
ParameterTypeDescription
statusstringFilter by status: ACTIVE, PAUSED, SUSPENDED, REVOKED, FROZEN
searchstringSearch by name or description
limitnumberResults per page (1-100, default 50)
offsetnumberPagination offset

agents.create()

Create a new agent. 
const { members } = await admin.team.listMembers();
const serviceOwner = members.find((member) => member.user?.email === 'ops@yourcompany.com');

const agent = await admin.agents.create({
  name: 'billing-agent',
  agentType: 'CUSTOM',
  description: 'Handles vendor payments',
  ownerMembershipId: serviceOwner?.id,
});
ParameterTypeRequiredDescription
namestringYesAgent name (1-100 chars)
agentTypestringYesOPENAI_ASSISTANT, ANTHROPIC_CLAUDE, LANGCHAIN, AUTOGPT, or CUSTOM
descriptionstringNoDescription (max 500 chars)
publicKeystringNoEthereum address (auto-generated if omitted)
externalIdstringNoYour own identifier for the agent
ownerMembershipIdstringYesOrganization member owner for programmatic/admin flows. Fetch this from admin.team.listMembers() and pass it when creating the agent.

admin.team

List organization memberships for the authenticated organization. This is useful when you need a stable ownerMembershipId to reuse across agent creation and repair flows.

team.listMembers()

const { organizationId, members } = await admin.team.listMembers();

const dedicatedOwner = members.find((member) => member.user?.email === 'ops@yourcompany.com');

if (!dedicatedOwner) {
  throw new Error('No dedicated owner membership found');
}

await admin.agents.create({
  name: 'billing-agent',
  agentType: 'CUSTOM',
  ownerMembershipId: dedicatedOwner.id,
});
This method requires an org API key with the team:read scope or admin.

agents.get()

const agent = await admin.agents.get('agent_id');

agents.update()

await admin.agents.update('agent_id', {
  name: 'Updated Name',
  status: 'PAUSED',
});

agents.delete()

Soft-deletes an agent. Deactivates its SDK keys and wallet/card links. 
await admin.agents.delete('agent_id');

agents.freeze() / agents.unfreeze()

Freeze blocks all transactions for an agent. Unfreeze restores them. 
await admin.agents.freeze('agent_id', {
  reason: 'Suspicious activity detected',
  freezeWallets: true,
});

await admin.agents.unfreeze('agent_id', {
  reason: 'Investigation complete',
  unfreezeWallets: true,
  resetCounters: true,
});

agents.linkWallet()

Link a wallet to an agent with spending limits. 
await admin.agents.linkWallet('agent_id', {
  walletId: 'wallet_id',
  delegationType: 'LIMITED',
  spendLimitPerTx: 100,
  spendLimitDaily: 1000,
  spendLimitWeekly: 5000,
  allowedDays: ['Mon', 'Tue', 'Wed', 'Thu', 'Fri'],
});
ParameterTypeDefaultDescription
walletIdstringRequiredWallet to link
delegationTypestringLIMITEDFULL, LIMITED, VIEW_ONLY, PREAPPROVED, ALLOWLIST
spendLimitPerTxnumber100Max per transaction
spendLimitDailynumber1000Max per day
spendLimitWeeklynumber-Max per week
spendLimitMonthlynumber-Max per month
allowedHoursStartnumber0Allowed hours start (0-23)
allowedHoursEndnumber24Allowed hours end (1-24)
allowedDaysstring[]Mon-FriAllowed days of week

agents.assignPolicy() / agents.unassignPolicy()

await admin.agents.assignPolicy('agent_id', 'policy_id');
await admin.agents.unassignPolicy('agent_id', 'policy_id');

agents.listWallets() / agents.listPolicies()

const { wallets } = await admin.agents.listWallets('agent_id');
const { policies } = await admin.agents.listPolicies('agent_id');

agents.createSdkKey() / agents.listSdkKeys() / agents.revokeSdkKey()

Create agent SDK keys programmatically. The key value is returned only once. 
const { key } = await admin.agents.createSdkKey('agent_id', {
  name: 'Production Key',
  keyType: 'standard',
  expiresInDays: 90,
});

console.log('Save this key:', key); // conto_agent_xxx...

const keys = await admin.agents.listSdkKeys('agent_id');
await admin.agents.revokeSdkKey('agent_id', 'key_id');

admin.wallets

Manage wallets across the organization.

wallets.list()

const { wallets, total } = await admin.wallets.list({
  chainType: 'EVM',
  status: 'ACTIVE',
  limit: 20,
});
ParameterTypeDescription
statusstringACTIVE, FROZEN, ARCHIVED
chainTypestringEVM or SOLANA
chainIdstringSpecific chain ID
limitnumberResults per page (1-100, default 50)
offsetnumberPagination offset

wallets.create()

const wallet = await admin.wallets.create({
  name: 'billing-wallet',
  chainType: 'EVM',
  custodyType: 'SPONGE',
});
ParameterTypeDefaultDescription
namestringRequiredWallet name (1-100 chars)
chainTypestringEVMEVM or SOLANA
chainIdstring-Chain ID (defaults to Tempo testnet)
custodyTypestringPRIVYPRIVY, SPONGE, EXTERNAL, SMART_CONTRACT
walletTypestringEOAEOA, SMART_WALLET, MULTISIG
addressstring-Required when attaching an existing wallet instead of minting a new one
externalWalletIdstring-Existing provider wallet ID. Use with custodyType=PRIVY to attach an existing Privy wallet
importAddressstring-Legacy watch-only import path for EXTERNAL custody
Attach an existing Privy-backed wallet: 
const wallet = await admin.wallets.create({
  name: 'enchant-treasury',
  chainType: 'EVM',
  chainId: '8453',
  custodyType: 'PRIVY',
  externalWalletId: 'privy_wallet_123',
  address: '0x1234...abcd',
});
Register a self-custodied wallet: 
const wallet = await admin.wallets.create({
  name: 'external-ops-wallet',
  chainType: 'EVM',
  chainId: '8453',
  custodyType: 'EXTERNAL',
  address: '0xabcd...1234',
});
wallets.create() is idempotent within the organization per externalWalletId + chainId or address + chainId, so retrying the same request returns the existing wallet instead of creating a duplicate. This attach flow only works when the referenced wallet is visible to the same Privy app Conto is configured to use for managed execution. If the signer lives in a different Privy app or an external wallet stack, register it as EXTERNAL instead.

wallets.get() / wallets.update() / wallets.delete()

const wallet = await admin.wallets.get('wallet_id');

await admin.wallets.update('wallet_id', {
  name: 'Renamed Wallet',
  status: 'FROZEN',
});

await admin.wallets.delete('wallet_id'); // Fails if linked to agents or if payment history exists
Organization API keys can now manage the full wallet lifecycle through wallets.get(), wallets.update(), and wallets.delete() in addition to wallets.list() and wallets.create().

wallets.provision()

Link a wallet to its custody provider and sync its onchain state. 
const result = await admin.wallets.provision('wallet_id');
console.log('Address:', result.wallet.address);
console.log('Balance:', result.wallet.balance, result.wallet.currency);

wallets.refreshBalance()

Fetch the latest balance from the chain. 
const result = await admin.wallets.refreshBalance('wallet_id');
console.log('Total:', result.totalBalance);
for (const balance of result.balances) {
  console.log(`${balance.chainName}:`, balance.balance, balance.symbol);
}

admin.policies

Create and manage spending policies and their rules.

policies.list()

const { policies, total } = await admin.policies.list({
  limit: 50,
  offset: 0,
});

policies.create()

Create a policy with optional rules and agent assignments in one call. 
const policy = await admin.policies.create({
  name: 'Conservative limits',
  policyType: 'SPEND_LIMIT',
  priority: 50,
  rules: [
    { ruleType: 'MAX_AMOUNT', operator: 'LTE', value: '200' },
    { ruleType: 'DAILY_LIMIT', operator: 'LTE', value: '1000' },
    { ruleType: 'MONTHLY_LIMIT', operator: 'LTE', value: '10000' },
  ],
  agentIds: ['agent_1', 'agent_2'], // Assign immediately
});

Policy Types

TypeDescription
SPEND_LIMITTransaction and periodic spending limits
APPROVAL_THRESHOLDRequire human approval above a threshold
COUNTERPARTYAllow/block specific counterparties
CATEGORYAllow/block spending categories
GEOGRAPHICCountry-based restrictions
TIME_WINDOWTime-of-day restrictions
VELOCITYTransaction frequency limits
WHITELISTAllowlist-only recipients
CONTRACT_ALLOWLISTAllowed smart contracts
BLACKOUT_PERIODBlock transactions during specific periods
BUDGET_ALLOCATIONBudget cap enforcement
EXPIRATIONDate-range validity
COMPOSITECombine multiple rule types
MERCHANTMerchant category restrictions

policies.get() / policies.update() / policies.delete()

const policy = await admin.policies.get('policy_id');

await admin.policies.update('policy_id', {
  name: 'Updated name',
  isActive: false,
  priority: 75,
});

await admin.policies.delete('policy_id');

Rule Management

Add, update, and remove individual rules on a policy. 
// Add a single rule
await admin.policies.addRule('policy_id', {
  ruleType: 'DAILY_LIMIT',
  operator: 'LTE',
  value: '500',
  action: 'DENY',
});

// Add multiple rules at once
await admin.policies.addRules('policy_id', [
  { ruleType: 'MAX_AMOUNT', operator: 'LTE', value: '100' },
  { ruleType: 'WEEKLY_LIMIT', operator: 'LTE', value: '2000' },
]);

// Update a rule
await admin.policies.updateRule('policy_id', 'rule_id', {
  value: '750',
});

// Delete a rule
await admin.policies.deleteRule('policy_id', 'rule_id');

// Delete all rules
await admin.policies.deleteAllRules('policy_id');

Rule Operators

OperatorDescription
EQUALSExact match
NOT_EQUALSNot equal
GREATER_THANGreater than
LESS_THANLess than
GTEGreater than or equal
LTELess than or equal
IN / IN_LISTValue is in list
NOT_IN / NOT_IN_LISTValue is not in list
BETWEENValue is between two bounds
NOT_BETWEENValue is outside bounds
DENYAlways deny

Rule Actions

ActionDescription
ALLOWAllow if condition met (default)
DENYBlock if condition met
REQUIRE_APPROVALRequire human approval if condition met

Complete Example

Provision a new agent from scratch: 
import { ContoAdmin } from '@conto/sdk';

const admin = new ContoAdmin({
  orgApiKey: process.env.CONTO_ORG_API_KEY!,
});

// 1. Create a wallet
const wallet = await admin.wallets.create({
  name: 'ops-wallet',
  chainType: 'EVM',
  custodyType: 'SPONGE',
});
await admin.wallets.provision(wallet.id);

// 2. Create a spending policy
const policy = await admin.policies.create({
  name: 'Standard ops limits',
  policyType: 'SPEND_LIMIT',
  rules: [
    { ruleType: 'MAX_AMOUNT', operator: 'LTE', value: '500' },
    { ruleType: 'DAILY_LIMIT', operator: 'LTE', value: '2000' },
  ],
});

// 3. Create the agent
const agent = await admin.agents.create({
  name: 'ops-agent',
  agentType: 'CUSTOM',
  description: 'Handles operational payments',
});

// 4. Link wallet with per-agent limits
await admin.agents.linkWallet(agent.id, {
  walletId: wallet.id,
  delegationType: 'LIMITED',
  spendLimitPerTx: 500,
  spendLimitDaily: 2000,
});

// 5. Assign the policy
await admin.agents.assignPolicy(agent.id, policy.id);

// 6. Generate an SDK key for the agent
const { key } = await admin.agents.createSdkKey(agent.id, {
  name: 'Production',
  expiresInDays: 90,
});

console.log('Agent ready. SDK key:', key);

Security

Org API keys can manage all agents and wallets in the organization. Store them in a secrets manager (AWS Secrets Manager, Vault, etc.), never in source control. Use the minimum scope needed for the task.
Create keys with only the scopes your pipeline needs. A deployment script that provisions agents only needs agents:write, wallets:write, and policies:write.
Set expiration when creating keys. When rotating:
  1. Create a new key
  2. Update your secrets
  3. Deploy
  4. Revoke the old key
Every operation made with an org API key is recorded in the audit log with actor type API_KEY and the key ID. Review audit logs in the dashboard under Audit Logs.

Limitations

Org API keys cannot change billing plans. Billing changes require dashboard session auth with an Owner account.

Error Handling

try {
  await admin.agents.create({ name: 'test', agentType: 'CUSTOM' });
} catch (error) {
  console.error(error.code, error.status, error.message);
}
Error CodeStatusDescription
AUTH_FAILED401Invalid or revoked API key
INSUFFICIENT_SCOPE403Key lacks required scope
NOT_FOUND404Resource not found
VALIDATION_FAILED400Invalid request body
TIMEOUT0Request timed out

Next Steps

Policies

Learn about the policy engine and all rule types

Authentication

Agent SDK keys and scopes

Payments

Making payments with agent SDK keys

CLI Policies

Manage policies from the command line