Skip to main content
Karta authenticates server-to-platform traffic with API keys: bearer tokens shaped kt_live_<32 chars> or kt_test_<32 chars>. Your backend holds one and presents it as Authorization: Bearer kt_live_...; your end users never do.

Shape and storage

  • The token is kt_live_ or kt_test_ followed by 32 characters.
  • Karta stores a one-way digest plus a short prefix for display and lookup.
  • The plaintext is revealed exactly once at creation. Store it immediately.
  • Revoked and expired keys fail closed.
  • Test-mode keys use the same API surface but do not bill live usage.

Scopes

API keys carry only fine-grained operation scopes. Karta automatically translates older coarse scopes to the equivalent operation scopes during deployment. Sensitive scopes require an expiration within 90 days: env:secrets:read, source_archives:read, workspace_tokens:create, audit_log:export, members:invite, members:write, members:owner_role:write, agents:delete, keys:write, and model_keys:write. Scope your keys to the least privilege a caller needs. A CI release key usually wants only releases:write.

Create and manage

Use the CLI for day-to-day key management:
Or use the TypeScript management SDK:
The dashboard, CLI, and API expose the same fine-grained scope set.

Keep keys safe

A kt_live_... key is an organization management credential. Never ship it to a browser or mobile client. For frontend/end-user access, mint a short-lived, agent-scoped session token server-side instead. Treat any leaked key as compromised and revoke it.

Session tokens

The browser-safe, short-lived credential for end users.

Usage & budgets

Org caps, per-key sub-limits, and budget webhooks.