Revoke or cap a key

If a key leaks or you want to limit its blast radius, you have two levers: revoke (kill the key) or cap (let it keep working but bound the spend).

Revoke — instant kill

  1. Go to /account/api-keys.
  2. Find the key by its prefix (e.g. mcp_abc123…).
  3. Click Revoke. The key stops authenticating on the next call (and within ~5 min on cached paths).

Cap an existing key

Per-key spend caps stop runaway autonomous loops without revoking the key. Daily and monthly limits both supported. Once exceeded, paid calls hard-stop with payment_required until the period rolls over.

Set caps when issuing the key, or via the API:

# (planned UI in /account/api-keys per-key edit form)
PATCH /api/publisher/keys/:id
{
  "dailyCapCents": 500,        // $5/day
  "monthlyCapCents": 5000,     // $50/month
  "scopes": ["mcp:read", "mcp:tools"]
}

Audit who did what

Every issue, revoke, scope change, and cap change writes a row to the audit log. Track per-key activity in /account/requests filtered by API key.