SDK Authentication
Conto SDK requests authenticate with agent-specific SDK keys:Choose the Right Credential
Use the credential type that matches the job you need to do:| Credential | Format | Best for | Notes |
|---|---|---|---|
| Standard SDK key | conto_agent_... | The agent payment lifecycle (request, execute, approve, confirm) plus agent-scoped reads | Works with the Conto client |
| Admin SDK key | conto_agent_... | Delegated agent workflows that need elevated access to agents, wallets, or policies | Agent-scoped identity with an expanded scope preset |
| Organization API key | conto_... | Backend/admin automation across the whole organization | Use with ContoAdmin |
ContoAdmin requires an organization API key. Admin SDK keys can call elevated HTTP API
endpoints, but they are not a drop-in replacement for the ContoAdmin constructor.Generate SDK Keys
Via Dashboard
Choose a preset
Select Standard for the payment lifecycle plus read access, or Admin if the agent also
needs elevated management access.
Via API
POST /api/agents/{agentId}/sdk-keys accepts name, optional expiresInDays, and optional
keyType. Standard keys created through this endpoint use the standard preset shown above:
the payment lifecycle plus read scopes.Use SDK Keys
Client initialization and environment-variable setup live in SDK Installation: pass the agent SDK key asapiKey to Conto, and the
organization API key as orgApiKey to ContoAdmin.
Admin SDK Reference
Use organization API keys with
ContoAdmin for organization-wide provisioning and management.Organization API keys are the right credential for programmatic wallet provisioning and cleanup.
That includes
create, get, update, and delete wallet operations through the
Admin SDK or the corresponding /api/wallets HTTP endpoints. To archive a wallet, use
update({ status: 'ARCHIVED' }).Standard SDK Scopes
Standard SDK keys cover the full payment lifecycle plus read access. Spending control comes from policies, spend limits, approvals, and custody, not from withholding payment scopes.| Scope | Included by default | Description |
|---|---|---|
payments:request | Yes | Request policy evaluation for a payment |
payments:execute | Yes | Execute approved payments or use autoExecute |
payments:approve | Yes | Approve external-wallet payments |
payments:confirm | Yes | Confirm external-wallet payments |
wallets:read | Yes | View wallet balances and limits |
policies:read | Yes | View policies assigned to the agent |
transactions:read | Yes | View transaction history |
counterparties:read | Yes | View counterparties and trust data |
alerts:read | Yes | View alerts related to the agent |
agents:read | Yes | View agent profile and setup summary |
analytics:read | Yes | View spend analytics |
network:read | Yes | Query network trust data |
transactions:write | No | Retry failed transactions or record x402/MPP transactions |
policies:exceptions | No | Request and view policy exceptions |
counterparties:write | No | Create and update counterparties |
alerts:write | No | Acknowledge and resolve alerts |
audit:read | No | View audit logs |
Standard SDK keys created through the SDK-key management endpoint start from this preset, and the
creation response lists the granted
scopes. Every payment a standard key executes still passes
through policy evaluation, spend limits, and any approval workflows. Use keyType: "admin" only
when the agent needs delegated management access to agents, wallets, or policies.Admin SDK Keys
Admin SDK keys use an elevated preset intended for delegated agent management workflows. They include:- All standard SDK scopes
agents:writewallets:writepolicies:write
admin super-scope.
They also cannot create other admin SDK keys. That escalation path is blocked intentionally.
Key Expiration
All SDK keys have a mandatory expiration.| Value | Behavior |
|---|---|
| Omitted | Defaults to 365 days |
30 | Short-lived testing key |
90 | Recommended production rotation window |
365 | Long-lived standard key |
730 | Maximum allowed lifetime |
Revoke Keys
Via Dashboard
- Go to Agents
- Open the agent
- Open SDK Keys
- Click Revoke
Via API
Best Practices
- Store SDK keys in a secrets manager, not in source control.
- Use separate keys for development, staging, and production.
- Prefer standard keys unless the agent truly needs elevated management access.
- Standard keys can move funds, so constrain agents with policies, spend limits, and approval workflows rather than treating the key as the control surface.
- Rotate keys on a schedule instead of waiting for emergency revocations.