Skip to main content

SDK Authentication

Conto SDK requests authenticate with agent-specific SDK keys:
Every SDK key belongs to exactly one agent. SDK keys always expire automatically: the default lifetime is 365 days and the maximum is 730 days.

Choose the Right Credential

Use the credential type that matches the job you need to do:
ContoAdmin requires an organization API key. Admin SDK keys can call elevated HTTP API endpoints, but they are not a drop-in replacement for the ContoAdmin constructor.

Generate SDK Keys

Via Dashboard

1

Open the agent

Go to Agents and select the agent that will use the key.
2

Create a key

Open the SDK Integration tab and click Generate SDK Key.
3

Choose a preset

Select Standard for the payment lifecycle plus read access, or Admin if the agent also needs elevated management access.
4

Set expiration

Choose an expiration window. Keys default to 365 days and cannot exceed 730 days.
5

Copy the secret

The full key is shown only once. Store it in your secrets manager before closing the dialog.

Via API

Response
POST /api/agents/{agentId}/sdk-keys accepts name, optional expiresInDays, and optional keyType. Standard keys created through this endpoint use the standard preset shown above: the payment lifecycle plus read scopes.

Use SDK Keys

Client initialization and environment-variable setup live in SDK Installation: pass the agent SDK key as apiKey to Conto, and the organization API key as orgApiKey to ContoAdmin.

Admin SDK Reference

Use organization API keys with ContoAdmin for organization-wide provisioning and management.
Organization API keys are the right credential for programmatic wallet provisioning and cleanup. That includes create, get, update, and delete wallet operations through the Admin SDK or the corresponding /api/wallets HTTP endpoints. To archive a wallet, use update({ status: 'ARCHIVED' }).

Standard SDK Scopes

Standard SDK keys cover the full payment lifecycle plus read access. Spending control comes from policies, spend limits, approvals, and custody, not from withholding payment scopes.
Standard SDK keys created through the SDK-key management endpoint start from this preset, and the creation response lists the granted scopes. Every payment a standard key executes still passes through policy evaluation, spend limits, and any approval workflows. Use keyType: "admin" only when the agent needs delegated management access to agents, wallets, or policies.

Admin SDK Keys

Admin SDK keys use an elevated preset intended for delegated agent management workflows. They include:
  • All standard SDK scopes
  • agents:write
  • wallets:write
  • policies:write
They do not include organization-superuser capabilities such as team management, organization settings, or the admin super-scope. They also cannot create other admin SDK keys. That escalation path is blocked intentionally.

Key Expiration

All SDK keys have a mandatory expiration.
There is no non-expiring SDK key mode. Build key rotation into your operational runbooks.

Revoke Keys

Via Dashboard

  1. Go to Agents
  2. Open the agent
  3. Open SDK Keys
  4. Click Revoke

Via API

Revocation is immediate.

Best Practices

  • Store SDK keys in a secrets manager, not in source control.
  • Use separate keys for development, staging, and production.
  • Prefer standard keys unless the agent truly needs elevated management access.
  • Standard keys can move funds, so constrain agents with policies, spend limits, and approval workflows rather than treating the key as the control surface.
  • Rotate keys on a schedule instead of waiting for emergency revocations.