SDK Authentication
Conto SDK requests authenticate with agent-specific SDK keys:Choose the Right Credential
Use the credential type that matches the job you need to do:ContoAdmin requires an organization API key. Admin SDK keys can call elevated HTTP API
endpoints, but they are not a drop-in replacement for the ContoAdmin constructor.Generate SDK Keys
Via Dashboard
1
Open the agent
Go to Agents and select the agent that will use the key.
2
Create a key
Open the SDK Integration tab and click Generate SDK Key.
3
Choose a preset
Select Standard for the payment lifecycle plus read access, or Admin if the agent also
needs elevated management access.
4
Set expiration
Choose an expiration window. Keys default to 365 days and cannot exceed 730 days.
5
Copy the secret
Via API
POST /api/agents/{agentId}/sdk-keys accepts name, optional expiresInDays, and optional
keyType. Standard keys created through this endpoint use the standard preset shown above:
the payment lifecycle plus read scopes.Use SDK Keys
Client initialization and environment-variable setup live in SDK Installation: pass the agent SDK key asapiKey to Conto, and the
organization API key as orgApiKey to ContoAdmin.
Admin SDK Reference
Use organization API keys with
ContoAdmin for organization-wide provisioning and management.Organization API keys are the right credential for programmatic wallet provisioning and cleanup.
That includes
create, get, update, and delete wallet operations through the
Admin SDK or the corresponding /api/wallets HTTP endpoints. To archive a wallet, use
update({ status: 'ARCHIVED' }).Standard SDK Scopes
Standard SDK keys cover the full payment lifecycle plus read access. Spending control comes from policies, spend limits, approvals, and custody, not from withholding payment scopes.Standard SDK keys created through the SDK-key management endpoint start from this preset, and the
creation response lists the granted
scopes. Every payment a standard key executes still passes
through policy evaluation, spend limits, and any approval workflows. Use keyType: "admin" only
when the agent needs delegated management access to agents, wallets, or policies.Admin SDK Keys
Admin SDK keys use an elevated preset intended for delegated agent management workflows. They include:- All standard SDK scopes
agents:writewallets:writepolicies:write
admin super-scope.
They also cannot create other admin SDK keys. That escalation path is blocked intentionally.
Key Expiration
All SDK keys have a mandatory expiration.Revoke Keys
Via Dashboard
- Go to Agents
- Open the agent
- Open SDK Keys
- Click Revoke
Via API
Best Practices
- Store SDK keys in a secrets manager, not in source control.
- Use separate keys for development, staging, and production.
- Prefer standard keys unless the agent truly needs elevated management access.
- Standard keys can move funds, so constrain agents with policies, spend limits, and approval workflows rather than treating the key as the control surface.
- Rotate keys on a schedule instead of waiting for emergency revocations.