kt_live_<32 chars> or kt_test_<32 chars>. Your backend holds one and
presents it as Authorization: Bearer kt_live_...; your end users never do.
Shape and storage
- The token is
kt_live_orkt_test_followed by 32 characters. - Karta stores a one-way digest plus a short prefix for display and lookup.
- The plaintext is revealed exactly once at creation. Store it immediately.
- Revoked and expired keys fail closed.
- Test-mode keys use the same API surface but do not bill live usage.
Scopes
API keys carry only fine-grained operation scopes. Karta automatically translates older coarse scopes to the equivalent operation scopes during deployment.
Sensitive scopes require an expiration within 90 days:
env:secrets:read, source_archives:read, workspace_tokens:create,
audit_log:export, members:invite, members:write,
members:owner_role:write, agents:delete, keys:write, and
model_keys:write.
Scope your keys to the least privilege a caller needs. A CI release key usually
wants only releases:write.
Create and manage
Use the CLI for day-to-day key management:Keep keys safe
Session tokens
The browser-safe, short-lived credential for end users.
Usage & budgets
Org caps, per-key sub-limits, and budget webhooks.

