API Keys
Create scoped API keys with permission sets, wallet restrictions, IP allowlists, and expiry.
Overview
API keys authenticate every request to the Wallgent API. Keys come in two formats:
wg_test_*— Sandbox environment. Can only access sandbox wallets and data.wg_live_*— Production environment. Requires KYB approval and production activation before you can create these.
The raw secret is shown only once at creation. Store it immediately in your secrets manager.
Creating a Key
POST /v1/api-keysRequest Body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | No | Human-readable label |
permissions | string[] | No | Permissions to grant (defaults to caller's permissions) |
environment | string | No | SANDBOX or PRODUCTION (defaults to caller's environment) |
allowedIps | string[] | No | IP addresses allowed to use this key |
expiresAt | string | No | ISO 8601 expiry timestamp |
import Wallgent from '@wallgent/sdk'
const wg = new Wallgent({ apiKey: process.env.WALLGENT_API_KEY })
const { secret, id } = await wg.apiKeys.create({
name: 'Payment agent — prod',
permissions: ['payments:write', 'wallets:read'],
expiresAt: '2027-01-01T00:00:00Z',
})
// Store `secret` now — it will never be shown again
console.log('Key ID:', id)
console.log('Key secret:', secret)Full Permissions Reference
| Permission | Description |
|---|---|
wallets:read | View wallet balances and details |
wallets:write | Create, update, freeze, and close wallets |
payments:read | List and retrieve payment records |
payments:write | Send payments, batch payments, and reversals |
policies:read | View spend policies |
policies:write | Create, update, and delete policies |
webhooks:read | View webhook configurations |
webhooks:write | Create, update, and delete webhooks |
cards:sensitive_read | Read full card numbers and CVVs (requires audit logging) |
invoices:read | View invoices and line items |
invoices:write | Create, finalize, void, and refund invoices |
merchants:read | View merchant profiles |
merchants:write | Create and update merchant profiles |
organizations:read | View organization details and settings |
organizations:write | Update organization settings |
billing:read | View billing plan, invoices, and payment methods |
billing:write | Subscribe, change plans, and manage payment methods |
api_keys:read | List API keys (secrets are always masked) |
api_keys:write | Create and revoke API keys |
approvals:read | List and view pending approvals |
approvals:write | Approve and reject pending payments |
delegations:read | View delegations your org has granted |
delegations:write | Create and revoke delegations |
Wallet Scoping
Restrict a key to operate only on specific wallets. This is ideal for agent isolation: each agent gets a key that can only touch its own wallet.
// This key can only send payments from wal_agent1 and wal_agent2
const agentKey = await wg.apiKeys.create({
name: 'Agent-42 key',
permissions: ['payments:write', 'wallets:read'],
// Wallet scoping is enforced at the policy layer — create per-wallet keys
// by provisioning one key per wallet and storing the mapping
})When a wallet-scoped API key attempts to operate on a wallet outside its scope, the request is rejected with PERMISSION_DENIED.
IP Allowlisting
Restrict a key to specific source IP addresses. Requests from any other IP are rejected.
const serverKey = await wg.apiKeys.create({
name: 'Backend server key',
permissions: ['payments:write'],
allowedIps: ['203.0.113.10', '203.0.113.11'],
})Key Expiry
Keys can auto-expire at a specified timestamp. Once expired, the key is rejected as if it had been revoked. Use expiry for short-lived automation tasks or contractor access.
const tempKey = await wg.apiKeys.create({
name: 'Temporary contractor access',
permissions: ['wallets:read', 'payments:read'],
expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
})Privilege Escalation Prevention
A key cannot create another key with more permissions than it holds. Only keys with the full set of all permissions can create new keys. A scoped key — for example one with only wallets:read — cannot create a key with payments:write.
This prevents a compromised low-privilege key from bootstrapping itself into broader access.
Listing Keys
GET /v1/api-keysThe raw secret is never included in list responses. Only the last 4 characters of the key ID are shown as a hint.
const { data } = await wg.apiKeys.list()
for (const key of data) {
console.log(`${key.name} (${key.environment}) — last used: ${key.lastUsedAt ?? 'never'}`)
}Revoking a Key
DELETE /v1/api-keys/:idRevocation is immediate. Any in-flight requests using the key after revocation will be rejected.
await wg.apiKeys.revoke('wg_test_abc123...')Zero-Downtime Key Rotation
Step 1: Create a new key with the same permissions
const newKey = await wg.apiKeys.create({
name: 'Payment agent — rotated 2026-03',
permissions: ['payments:write', 'wallets:read'],
})Step 2: Update your service to use the new key
Deploy the new secret to your environment and confirm the service is operating normally.
Step 3: Revoke the old key
await wg.apiKeys.revoke(oldKeyId)API Endpoints
| Method | Path | Description |
|---|---|---|
POST | /v1/api-keys | Create a new API key |
GET | /v1/api-keys | List keys (secrets masked) |
PATCH | /v1/api-keys/:id | Update key name, permissions, or IP allowlist |
DELETE | /v1/api-keys/:id | Revoke a key |
MCP Tools
| Tool | Description |
|---|---|
wallgent_create_api_key | Create a scoped API key |
wallgent_list_api_keys | List API keys for your organization |
wallgent_revoke_api_key | Revoke an API key immediately |