Automation keys are live. Mint them under Settings → API Keys, or let
an AI agent request one through the human-approved
agent_auth device flow
("requested_key_type": "management" — see the
agent authentication guide). Every grant is
permission-scoped and can never exceed its approver’s own permissions.
If you are integrating the
@visiq/harness SDK, you want a
harness key — the dashboard studios mint one for you. This
section is about the other audience: automation keys (also called
management keys), which let your own automation call the VisIQ management API
at https://api.visiqlabs.com.
What an automation key is
An automation key is a bearer credential for the management API:403 harness_key_not_permitted, no
matter what it is otherwise allowed to do. An automation key, by contrast, may
call any endpoint its permissions allow — including the SDK operational
endpoints.
The permission model
Every automation key carries an explicit list of permissions — the sameresource:action catalogue that governs your team members (for example
allow_rules:view, allow_agents:create, allow_audit_log:view). You pick
the permissions when you create the key, grouped exactly as they appear in the
team Roles matrix.
Enforcement is exact and fail-closed:
- A request is allowed only when the permission required by that route is
in the key’s list. There is no wildcard expansion and no implication
between permissions —
allow_rules:viewdoes not grantallow_rules:update. - Anything not explicitly granted is denied with
403 insufficient_permission. The response names the permission the route required and the permissions the key actually holds, so a denial is always diagnosable:
allow_audit_log:view — not Grant all.
Operational SDK routes. A management key is a superset of a harness key,
so it can also reach the runtime endpoints. The evaluation legs — the unified
POST /evaluate plus the per-plane POST /allow/evaluate and
POST /recall/evaluate — are gated by coarse product scopes: a management key
holding a …:write-class permission for a product derives the matching write
scope and can evaluate through it. Two runtime routes require an explicit
permission on top: record envelope ingestion (POST /record/envelopes) also
requires record_records:create, and writing agent attribution
(POST /allow/agents/register) also requires allow_agents:create. If you
only want a key to reach the management API (rules, agents, audit) and never
the evaluate path, grant read-class permissions — they do not derive the write
scopes that open the operational routes.Legacy scoped keys still work. Keys created before explicit permissions
shipped carry coarse scopes instead of a permission list. The scope
vocabulary is the per-product pairs
allow:read/allow:write,
recall:read/recall:write, record:read/record:write, the unified
rules:read/rules:write/rules:evaluate (the unified read and write scopes
subsume their per-product counterparts; rules:evaluate is evaluation-only
and never satisfies a rule-management gate), and full_access. Scoped keys
are still honored under the original scope-mapping rules, and a scope denial
returns 403 insufficient_scope. New automation keys always use explicit
permissions.Built-in guardrails
Automation keys ship with the security properties a credential system should have, on by default:- Privilege-bound minting — a key can never be created with permissions
its creator does not hold. The request is rejected with
403and the list of exceeded permissions, so a narrowly-permissioned caller cannot bootstrap a stronger key. - Audited lifecycle — every create, rotate, and revoke is written to your tenant audit log; key creation and rotation abort (rolling back the new secret) if the audit write fails. There is no unaudited key event.
- Hashed at rest — VisIQ stores only a SHA-256 hash of each key and verifies it with a timing-safe comparison. The plaintext is shown exactly once, at creation.
- Fail-closed authentication — expired keys (including a lapsed rotation grace window) stop authenticating immediately, and every key is rate limited with a per-key sliding window.
Where to create one
Open Settings → API Keys and click Create New Key — naming the key, picking its environment and expiry, and selecting its permissions. The full key is shown exactly once. AI agents can instead self-register via theagent_auth device flow and receive a management key after human approval.
See the managing keys guide for the complete flow,
rotation, rate limits, and error reference.
Managing automation keys
Creation flow, key format, expiry, rotation with grace windows, rate
limits, and error codes.
Action Governance API
The management endpoints for rules, agents, audit log, HITL, and settings.