API keys
Agents authenticate to the gateway with scoped API keys, prefixed
rcsk_. Keys are a separate rail from the human app — neither token is accepted
on the other’s surface.
Mint a key
Keys are minted by an org admin from the dashboard (or the gateway). The plaintext key is shown once and then stored only as a SHA-256 hash — if you lose it, you mint a new one.
# The mint endpoint returns the plaintext key a single time
→ { data: { key: "rcsk_live_…" } }Export it where your agent surface can read it:
export RCS_AGENT_KEY=rcsk_live_…Treat rcsk_live_… like a password. It is displayed a single time and stored
only as a SHA-256 hash. Anyone with the plaintext key can act within its
scopes until you revoke it.
Scopes (least privilege)
Each key carries a least-privilege set of scopes — so a key can only do what it was minted for, and it’s revocable at any time.
| Scope | Grants |
|---|---|
templates:read | Search, fetch, and render templates |
templates:write | Author new templates |
templates:submit | Submit drafts to the provider for approval |
marketplace:clone | Clone marketplace listings into your org |
messages:send | Send messages to an E.164 list |
usage:read | Read month-to-date metered usage |
Mint read-only keys for discovery agents, and reserve messages:send for the
small set of agents that actually broadcast.
How sending stays safe
Sending is hardened beyond scopes:
- Destinations are validated as E.164 numbers.
- The gateway is rate-limited.
- An agent send must clear the exact same provider-approval gate as a human send — an unapproved template cannot ship.
Rotation & revocation
Keys are revocable at any time. Rotate by minting a new key, updating
RCS_AGENT_KEY in your agent’s environment, and revoking the old one. Because
only the hash is stored, revocation is immediate and irreversible.