Skip to main content
API keys connect your application to Averta’s runtime decision API. Every SDK wrapper call uses one Averta API key, and that key determines which policy applies.

Fast Path

  1. Open the Averta Dashboard.
  2. Go to API Keys.
  3. Create a key for the environment or agent you are integrating.
  4. Attach the policy you want to enforce.
  5. Copy the secret immediately.
  6. Set it as AVERTA_API_KEY in your app.
  7. Run one guarded request and confirm an event appears.
The plaintext secret is shown once. If you lose it, create a new key and rotate your app configuration.

Runtime Usage

export AVERTA_API_KEY="your-averta-key"
Provider wrappers read this environment variable automatically. Use explicit wrapper key options only for unusual cases, such as selecting a different key for one client in the same process. OpenAI: 
import OpenAI from "openai";
import { wrapOpenAI } from "@averta-security/sdk-openai";

let client = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY!,
});

client = wrapOpenAI(client);
Anthropic: 
import Anthropic from "@anthropic-ai/sdk";
import { wrapAnthropic } from "@averta-security/sdk-anthropic";

let client = new Anthropic({
  apiKey: process.env.ANTHROPIC_API_KEY!,
});

client = wrapAnthropic(client);

Table Fields

FieldMeaning
NameHuman-readable key label.
KeyMasked key prefix for debugging.
PolicyPolicy currently attached to the key.
Created byUser who created the key.
Created atCreation timestamp.
Use names and prefixes that make Events easy to investigate. A key named prod-support-agent is more useful than new key.

Policy Attachment

A key without a policy is not ready for normal runtime enforcement. Attach a policy before using the key in an SDK integration. You can change the attached policy without changing application code, which is the reason policy attaches to the key instead of being hardcoded in the app.
BoundaryRecommendation
ProductionSeparate key with a production policy.
StagingSeparate key with a staging policy.
Local developmentSeparate key if local traffic should be easy to filter.
Multiple agentsSeparate keys when ownership, policy, or event investigation differs.
Retired appsDelete or rotate keys immediately.
Do not share one catch-all key across every agent. It makes event investigation harder and policy changes riskier.

Troubleshooting

SymptomCheck
SDK returns 401Averta key is missing, malformed, or revoked.
SDK returns 403Key may not have an attached policy or may not be allowed for runtime decisions.
No events appearConfirm the app is using this key and calling a supported wrapped method.
Production traffic appears under stagingVerify deployed environment variables.
Events are hard to correlateUse clearer key names and pass requestContext.
A retired app still produces eventsDelete or rotate the old key.

Access

RoleKey access
OwnerView, create, and delete keys.
AdminView, create, and delete keys.
UserNo API key management access.
Deleting a key revokes it immediately. Any integration still using that secret will stop making Averta decisions.

Next Steps

Policies

Create and tune the policy attached to this key.

Events

Confirm the key is producing runtime decisions.