Creating Keys
Create API keys from the dashboard to authenticate API requests, launch cloud agents, or integrate Creor into your CI/CD pipeline.
- Go to Dashboard > Settings > API Keys.
- Click "Create Key".
- Enter a descriptive name (e.g., "ci-pipeline-prod", "cloud-agents-staging").
- Select the key scope (see Key Scopes below).
- Optionally set an expiration date.
- Click "Create" and copy the key immediately.
Warning
Key Format
Creor API keys follow a consistent format that makes them easy to identify and rotate.
cr_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx # Production key cr_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxx # Test/staging key
The prefix indicates the environment. Test keys work with the staging API and do not consume real credits.
IDE Auto-Created Keys
When you sign into Creor from the IDE for the first time, a key is automatically created for that device. This key is used to authenticate the engine's API requests to the Creor Gateway.
- Auto-created keys are named after your device (e.g., "MacBook Pro - Creor IDE").
- They have "IDE" scope, which includes gateway inference and basic API access.
- One key is created per device. Signing in again on the same device reuses the existing key.
- Auto-created keys appear in the API Keys list and can be revoked like any other key.
Note
Key Scopes
Scopes control what an API key can access. Follow the principle of least privilege -- give each key only the permissions it needs.
| Scope | Permissions | Use Case |
|---|---|---|
| IDE | Gateway inference, provider list, session management | Automatically assigned to IDE-created keys. |
| Cloud Agents | Launch, manage, and monitor cloud agent runs | CI/CD pipelines, automated workflows. |
| Gateway | Gateway inference only (no agent or dashboard access) | Custom applications using the Creor LLM gateway. |
| Admin | Full API access including team management and billing | Workspace administration scripts. |
| Full Access | All permissions combined | Development and testing only. Avoid in production. |
You can combine scopes by selecting multiple when creating a key. For example, a key with "Cloud Agents" + "Gateway" scopes can launch agents and make inference calls but cannot manage team members or billing.
Usage Tracking
Every API key has usage statistics accessible from the dashboard.
| Metric | Description |
|---|---|
| Total requests | Number of API calls made with this key. |
| Last used | Timestamp of the most recent request. |
| Tokens consumed | Total input + output tokens through gateway inference. |
| Credits consumed | Total credits spent via this key. |
| Agent runs | Number of cloud agent runs launched with this key. |
Usage data is updated in near real-time and visible on the key detail page. Use this to identify unused keys (candidates for revocation) and high-usage keys (candidates for monitoring or rate limiting).
Revoking Keys
Revoke a key immediately if it has been exposed, is no longer needed, or if you suspect unauthorized use.
- Go to Dashboard > Settings > API Keys.
- Find the key you want to revoke.
- Click the three-dot menu and select "Revoke".
- Confirm the revocation. This takes effect immediately.
Revoked keys cannot be restored. Any application or service using a revoked key will receive a 401 Unauthorized response on its next request. Create a new key to replace it.
Warning
Security Best Practices
- Use the narrowest scope possible. A CI pipeline that only launches cloud agents does not need Admin scope.
- Set expiration dates on keys used for temporary access or time-limited integrations.
- Rotate keys periodically. Create a new key, update your integrations, then revoke the old key.
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Monitor the "Last used" timestamp. Keys that have not been used in 90+ days are candidates for revocation.
- Use separate keys for separate environments (production, staging, development).
- Enable the low-balance alert to detect unexpected credit consumption, which may indicate a compromised key.