Identity, scopes, rotation
API keys
Key types, what scopes actually gate, and how to rotate without downtime.
Every request to the Mynd API authenticates with a bearer key, and every key carries an explicit scope list. The trust kernel checks scopes at execution time, not at the door — a run that tries to read finance data with a documents-only key fails at the fetch step with scope_denied, and the attempt is logged.
Key types
| prefix | type | use |
|---|---|---|
| sk_live_ | secret, production | Server-side only. Full scope grants allowed. Never ship to a client. |
| sk_test_ | secret, sandbox | Hits the sandbox environment; runs execute against synthetic context. |
| pk_live_ | publishable | Browser-safe. Can only mint short-lived session tokens, nothing else. |
| sk_ci_ | restricted CI | Read-only by default; for eval suites and trace replay in pipelines. |
Scopes
Scopes are resource:verb pairs. A key holding calendar:read can never write to a calendar, regardless of what a run plans. Grant the minimum and widen when a run fails with scope_denied — the error names the missing scope.
- runs:write — create and delete runs
- runs:read — retrieve runs and traces
- context:documents, context:calendar, context:finance — per-source read grants
- agents:execute — allow runs that invoke tools
- webhooks:manage — create and rotate webhook endpoints
Rotation
Keys rotate with zero downtime: create the replacement, deploy it, then revoke the old key. Revocation is immediate and global. The dashboard shows last-used timestamps per key, so a key that has been quiet for 30 days is safe to kill. Rotate on any suspected exposure and at least quarterly — the CLI's `mynd keys rotate` automates the overlap window.
mynd keys create --scopes runs:write,runs:read,context:documents mynd keys revoke sk_live_old_key_id # after the new key is deployed