Agent-native key management

2026-05-13 · v0.5.7.0 · feature

Agent-native key management

2026-05-13 · v0.5.7.0 · feature

Headline. Service keys (sk_svc_…) can now mint, rotate, and revoke API keys via POST /v1/keys. Your agent manages its own credentials with full audit lineage.

v0.5.7.0 ships agent-native key management: a portal-bootstrapped service key (prefix sk_svc_…) can now mint, list, update, rotate, and revoke child API keys via POST /v1/keys. Existing sk_test_… and sk_live_… API keys keep working with no changes. There is nothing to migrate unless you opt in.

For the full concept page, see Service keys. To upgrade an existing integration, see the dedicated upgrade guide.

What changed

New credential type: service keys (sk_svc_test_… / sk_svc_live_…), generated from the portal, used for /v1/keys credential management. They authenticate the same way as regular API keys (Authorization: Bearer …) but cannot place calls, send SMS, or read /v1/audit.
Six new endpoints under /v1/keys for child key lifecycle, plus GET /v1/audit for the compliance event stream.
New Service Keys tab in the portal (Settings → Keys).
TypeScript, Python, and MCP SDKs all expose client.keys.{create,list,get,update,delete,rotate}.
Audit-of-audit: reading /v1/audit writes an audit_read compliance event.
Nine new compliance event types covering agent key and service key lifecycle.

New endpoints

Method	Path	Purpose
`POST`	`/v1/keys`	Mint a child API key. Requires `Idempotency-Key`.
`GET`	`/v1/keys`	List child API keys. Paginated.
`GET`	`/v1/keys/{id}`	Fetch one child API key. Returns the soft-revoked row even after `DELETE`.
`PATCH`	`/v1/keys/{id}`	Update name, label, line scope, cap, or permissions.
`DELETE`	`/v1/keys/{id}`	Soft-revoke. Effect is immediate, no grace window.
`POST`	`/v1/keys/{id}/rotate`	Mint a new plaintext, revoke the old. Requires `Idempotency-Key`.
`GET`	`/v1/audit`	Read the compliance event stream. Uses a regular API key, not a service key. Writes an `audit_read` event on every read.

New error codes

Code	HTTP	When
`missing_idempotency_key`	400	`POST /v1/keys` or rotate called without `Idempotency-Key` header.
`idempotency_key_reused`	409	Same idempotency key reused with a different body (same method+path) within the 12-hour cache window.
`idempotency_in_progress`	409	A prior request with this `Idempotency-Key` is still in-flight. Retry after about 1s.

Four envelopes from v0.5.6.0 are now also documented in the OpenAPI spec: agent_scope_error (403), agent_permission_denied (403), agent_cap_exceeded (402), and m3_fraud_block (403).

SDK updates

All three official clients gain a keys resource:

TypeScript (@saperly/sdk): client.keys.create / list / get / update / delete / rotate. Auto-generates Idempotency-Key (UUID v4) when one isn’t passed.
Python (saperly): same surface, snake_case (agent_label, line_id, monthly_cap_cents, idempotency_key). Sync and async clients.
MCP (@saperly/mcp): same surface as tools. Destructive tools (keys.delete, keys.rotate) require confirm: true in the tool call.

Next steps

Read the Service keys concept page
Follow the Agent onboarding quickstart
Step through the upgrade guide if you have an existing integration

Headline. Service keys (sk_svc_…) can now mint, rotate, and revoke API keys via POST /v1/keys. Your agent manages its own credentials with full audit lineage.

For the full concept page, see Service keys. To upgrade an existing integration, see the dedicated upgrade guide.

What changed

New credential type: service keys (sk_svc_test_… / sk_svc_live_…), generated from the portal, used for /v1/keys credential management. They authenticate the same way as regular API keys (Authorization: Bearer …) but cannot place calls, send SMS, or read /v1/audit.
Six new endpoints under /v1/keys for child key lifecycle, plus GET /v1/audit for the compliance event stream.
New Service Keys tab in the portal (Settings → Keys).
TypeScript, Python, and MCP SDKs all expose client.keys.{create,list,get,update,delete,rotate}.
Audit-of-audit: reading /v1/audit writes an audit_read compliance event.
Nine new compliance event types covering agent key and service key lifecycle.

New endpoints

Method	Path	Purpose
`POST`	`/v1/keys`	Mint a child API key. Requires `Idempotency-Key`.
`GET`	`/v1/keys`	List child API keys. Paginated.
`GET`	`/v1/keys/{id}`	Fetch one child API key. Returns the soft-revoked row even after `DELETE`.
`PATCH`	`/v1/keys/{id}`	Update name, label, line scope, cap, or permissions.
`DELETE`	`/v1/keys/{id}`	Soft-revoke. Effect is immediate, no grace window.
`POST`	`/v1/keys/{id}/rotate`	Mint a new plaintext, revoke the old. Requires `Idempotency-Key`.
`GET`	`/v1/audit`	Read the compliance event stream. Uses a regular API key, not a service key. Writes an `audit_read` event on every read.

New error codes

Code	HTTP	When
`missing_idempotency_key`	400	`POST /v1/keys` or rotate called without `Idempotency-Key` header.
`idempotency_key_reused`	409	Same idempotency key reused with a different body (same method+path) within the 12-hour cache window.
`idempotency_in_progress`	409	A prior request with this `Idempotency-Key` is still in-flight. Retry after about 1s.

Four envelopes from v0.5.6.0 are now also documented in the OpenAPI spec: agent_scope_error (403), agent_permission_denied (403), agent_cap_exceeded (402), and m3_fraud_block (403).

SDK updates

All three official clients gain a keys resource:

TypeScript (@saperly/sdk): client.keys.create / list / get / update / delete / rotate. Auto-generates Idempotency-Key (UUID v4) when one isn’t passed.
Python (saperly): same surface, snake_case (agent_label, line_id, monthly_cap_cents, idempotency_key). Sync and async clients.
MCP (@saperly/mcp): same surface as tools. Destructive tools (keys.delete, keys.rotate) require confirm: true in the tool call.

Next steps

Read the Service keys concept page
Follow the Agent onboarding quickstart
Step through the upgrade guide if you have an existing integration