Skip to main content

Overview

API keys provide programmatic access to the itellicoAI platform, allowing you to integrate agents into your applications, automate tasks, and build custom workflows.

What are API Keys?

API keys are secure tokens that authenticate your API requests without requiring user login credentials. Key characteristics:
  • Account-scoped: Each key belongs to a specific account
  • Secret: Treat like a password - never share or commit to version control
  • Revocable: Can be disabled or deleted at any time
  • Trackable: Monitor last used timestamp and activity

Creating API Keys

How to Create

1

Navigate to API Keys

Go to Settings → API Keys in your account
2

Click Create API Key

Click the Create API Key button
Create API Key dialog with key name and expiration date fields
Create API Key dialog with key name and expiration date fields
3

Enter a Label

Give your key a descriptive name:
  • “Production Server”
  • “Development Environment”
  • “CI/CD Pipeline”
  • “Mobile App - iOS”
4

Set Expiration (Optional)

Optionally set an expiration date for automatic key rotation
5

Copy the Key

⚠️ IMPORTANT: The full key is shown only once!Copy it immediately and store securely.
6

Store Securely

Save the key in:
  • Environment variables
  • Secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Password manager
Never commit to git or share publicly!
The full API key is displayed only once at creation. If you lose it, you must create a new key.

Using API Keys

Authentication Header

Include your API key in the Authorization header: 
curl https://api.itellico.ai/v1/agents \
  -H "Authorization: Bearer sk-a1b2c3d4.xyz789..." \
  -H "Content-Type: application/json"

Account Context

API keys are scoped to their account. When you create a key in a parent account, it can access both the parent and all subaccounts. To access a specific account, include the account ID in the URL path: 
# Access parent account
curl https://api.itellico.ai/v1/accounts/me/agents \
  -H "Authorization: Bearer sk-a1b2c3d4.xyz789..." \
  -H "Content-Type: application/json"

# Access specific subaccount
curl https://api.itellico.ai/v1/accounts/{account-id}/agents \
  -H "Authorization: Bearer sk-a1b2c3d4.xyz789..." \
  -H "Content-Type: application/json"

SDKs

Using our official SDKs: 
from itellico import ItellicoAI

client = ItellicoAI(api_key="sk-a1b2c3d4.xyz789...")

# List agents
agents = client.agents.list()
Store API keys in environment variables and never hardcode them in your source code.

Managing API Keys

Viewing Keys

The API Keys page shows:
  • Label: Your descriptive name
  • Partial Key: First few characters (e.g., sk-a1b2c3d4...)
  • Status: Active, Revoked, or Expired
  • Created: When the key was created
  • Last Used: When it was last used for an API request
  • Expires: Expiration date (if set)
The full key is never shown after creation - only the first few characters for identification.

Editing Keys

You can update:
  • Label: Change the descriptive name
  • Expiration date: Extend or set expiration
You cannot change:
  • The key itself (create a new one instead)
  • The account it belongs to

Revoking Keys

To temporarily disable a key without deleting:
  1. Go to Settings → API Keys
  2. Find the key in the list
  3. Click Revoke
  4. The key is disabled immediately
Why revoke instead of delete?
  • Keeps the key in logs for auditing
  • Can reactivate if revoked by mistake
  • Preserves creation date and history

Reactivating Keys

To restore a revoked key:
  1. Find the revoked key in the list
  2. Click Reactivate
  3. The key works immediately

Deleting Keys

To permanently remove a key:
  1. Go to Settings → API Keys
  2. Find the key in the list
  3. Click the menu (⋯) → Delete
  4. Confirm deletion
Deletion is permanent and cannot be undone. The key will immediately stop working.

Key Statuses

StatusDescriptionAPI Access
ActiveKey is working normally✅ Yes
RevokedManually disabled❌ No
ExpiredPast expiration date❌ No

Best Practices

Create separate keys for each environment:
  • Development: “Dev Server Key”
  • Staging: “Staging Environment”
  • Production: “Production Server”
Benefits:
  • Revoke dev keys without affecting production
  • Track usage by environment
  • Different expiration policies per environment
Never hardcode API keys in your source code.Good:
import os
api_key = os.environ['ITELLICO_API_KEY']
Bad:
api_key = "sk-a1b2c3d4.xyz789..."  # DON'T DO THIS!
Environment files (.env):
ITELLICO_API_KEY=sk-a1b2c3d4.xyz789...
Add to .gitignore:
.env
.env.local
*.key
Rotate API keys periodically for security:Recommended schedule:
  • Production: Every 90 days
  • Staging: Every 180 days
  • Development: Yearly or when developers change
Rotation process:
  1. Create new key with expiration date
  2. Update applications with new key
  3. Test thoroughly
  4. Revoke old key
  5. Delete old key after 30 days
Use expiration dates for:
  • Temporary access: Contractors, demos, POCs
  • Forced rotation: Production keys set to expire in 90 days
  • Time-limited features: Beta testing, trials
Example:
  • Create key on Jan 1
  • Set expiration to Apr 1 (90 days)
  • Get notified 7 days before expiration
  • Rotate key before expiration
Check “Last Used” timestamps regularly:
  • Never used: Delete unused keys
  • Old timestamp: Might be safe to revoke
  • Recent activity: Key is active
Review your API keys monthly to remove inactive ones.
Use clear, descriptive key names:Good labels:
  • “Production API Server - us-east-1”
  • “Mobile App - iOS - Production”
  • “CI/CD - GitHub Actions”
  • “Webhook Handler - Staging”
Bad labels:
  • “API Key 1”
  • “Test”
  • “My Key”
  • “New Key”
Use a secrets manager in production:Options:
  • AWS Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Google Secret Manager
  • 1Password / LastPass (for teams)
Benefits:
  • Centralized secret storage
  • Automatic rotation
  • Audit logs
  • Access controls

Security Considerations

Never commit API keys to version control!If you accidentally commit a key:
  1. Revoke the key immediately
  2. Create a new key
  3. Use git filter-branch or BFG Repo-Cleaner to remove from history
  4. Force push to remote
  5. Notify team members to pull latest

If a Key is Compromised

1

Revoke Immediately

Go to Settings → API Keys and revoke the compromised key
2

Create New Key

Generate a replacement key with a new label
3

Update Applications

Deploy the new key to all affected applications
4

Review Logs

Check usage logs for suspicious activity
5

Notify Team

Inform your team about the incident
6

Investigate

Determine how the key was compromised and prevent recurrence

Troubleshooting

Causes:
  • Invalid API key
  • Revoked or expired key
  • Missing Authorization header
  • Incorrect header format
Solutions:
  • Verify the key is active in Settings
  • Check the header: Authorization: Bearer sk-...
  • Ensure no extra spaces or characters
  • Create a new key if lost
Causes:
  • Key doesn’t have access to the requested account
  • Requesting a subaccount the key can’t access
  • Account is inactive
Solutions:
  • Verify the key was created in the parent account or the subaccount you’re accessing
  • Check that the account ID in the URL is correct
  • Verify account status is active
Causes:
  • Exceeded rate limits
  • Too many concurrent requests
Solutions:
  • Implement exponential backoff
  • Cache responses when possible
  • Upgrade to higher tier plan
  • Spread requests over time
Possible causes:
  • Using wrong key (prefix vs full key)
  • Extra characters (newlines, spaces)
  • Revoked immediately after creation
Solutions:
  • Copy the full key including sk- prefix
  • Trim whitespace from stored key
  • Verify status is “Active”

FAQs

No hard limit, but we recommend:
  • Small teams: 3-5 keys
  • Medium teams: 10-15 keys
  • Enterprise: As needed per environment
API keys created in a parent account can access both the parent and all its subaccounts. Keys created in a subaccount can only access that subaccount.
API requests using that key will immediately fail with 401 Unauthorized. Update your applications first!
Yes. The “Last Used” timestamp shows when it was last accessed. For detailed logs, contact support about API access logs.
Only if you set an expiration date. Otherwise, keys remain active until revoked or deleted.
Yes! Each subaccount can create independent API keys scoped to that subaccount’s context.

Next Steps

API Reference

Explore available API endpoints

SDKs

Use our official Python and TypeScript SDKs

Team Management

Manage team members