Agent API Keys
Create and manage scoped API keys for your AI agents.
Agent API keys are the primary authentication mechanism for AI agents calling Open Connector. Each key is scoped to a Project and carries the project's projectId and orgId in its metadata. Pass the key in the x-api-key header on every request.
What a key gives you
- Access to all connected accounts belonging to the key's project
- Permission to initiate OAuth flows for new users within that project
- Permission to execute tool calls on behalf of any connected account in that project
- Attribution of every audit log entry to the specific project and org
A key does not grant access to other projects in the same org or to the session-authenticated Console API used for administrative and billing operations.
Creating an API key
- Open app.openconnector.dev and select the project.
- Open API Keys in the project section of the sidebar.
- Choose Create, give the key a recognisable name (for example
support-agent-prod), and confirm. - Copy the plaintext key immediately into a secrets manager.
The plaintext key is returned once. Later list views show only non-secret metadata such as its prefix and status. For session-authenticated automation, use the live Console OpenAPI document and its documented routes under /api/v1/console.
Key metadata structure
Every API key embeds scoping metadata that is verified on each request:
Prop
Type
Using a key in requests
Pass the key as the x-api-key header:
curl -X GET "https://api.openconnector.dev/composio/api/v3.1/connected_accounts" \
-H "x-api-key: oc_abc123xyz..."In your agent code:
import { createClient } from "@open-connector/sdk";
const oc = createClient({
apiKey: process.env.OPEN_CONNECTOR_API_KEY!,
baseUrl: "https://api.openconnector.dev",
});import Composio from "@composio/client";
const composio = new Composio({
apiKey: process.env.OPEN_CONNECTOR_API_KEY,
baseURL: "https://api.openconnector.dev/composio",
});Security best practices
Treat agent API keys like passwords. If a key is compromised, any agent holding that key can execute tool calls on behalf of all connected accounts in the project.
- Store keys in a secrets manager (AWS Secrets Manager, Doppler, Vault, or a platform-native equivalent). Never commit them to source control or embed them in client-side code.
- One key per environment. Use separate keys for development, staging, and production so a leak in one environment does not affect others.
- One key per agent. If you run multiple agents (e.g., a research agent and a write agent), give each its own key. This makes rotation and attribution per-agent.
- Rotate on suspicion. If you believe a key may have been exposed, revoke it from the dashboard immediately and issue a replacement. Existing connections are not affected by key rotation.
- Monitor audit logs. Each tool call is written to the audit journal with the key's
projectId. Unexpected spikes in activity may indicate key misuse.
Revoking a key
From the dashboard: open API Keys, use the key's action menu, and choose Revoke. The key stops working immediately. Issue a replacement before revoking the old key to avoid downtime.