Skip to main content
Three credentials, each with a job.

Org API key

Your account key. Use it server-side for all management calls — creating agents, starting sessions, registering webhooks, managing credentials. 
curl https://api.opencomputer.dev/v3/sessions \
  -H "Authorization: Bearer $OPENCOMPUTER_API_KEY" -d '{ … }'
Never ship the org API key to a browser or mobile client — it can do anything on your account. Use a client token instead.

Client tokens

A session-scoped, short-lived token with read + steer scope — safe to hand to a front-end. It can stream and steer one session and nothing else. You get one back from POST /v3/sessions, and can mint more: 
curl https://api.opencomputer.dev/v3/sessions/$ID/client-tokens \
  -H "Authorization: Bearer $OPENCOMPUTER_API_KEY" \
  -d '{ "scopes": ["read", "steer"], "ttl": 3600 }'
The pattern: your backend creates the session with the org key, then hands the client_token to the browser, which uses it directly for the SSE stream and steer calls.
A client token isn’t free to hand out: each steer starts a turn, which consumes tokens on your Anthropic key for the session it’s scoped to. Mint short-lived tokens, and rely on the session’s limits (tokens/turn_seconds/turns) to cap exposure.
browser ──(create task)──▶ your backend ──(org key)──▶ POST /v3/sessions
browser ◀──(client_token)── your backend
browser ──(client_token)──▶ GET …/events (SSE) · POST …/messages
For the SSE stream the browser passes the client token as ?token= (native EventSource can’t set an Authorization header); other calls use the Authorization header normally.

Model credentials

Sessions run the model on your own Anthropic key. It’s held in OpenComputer’s secret store — encrypted at rest (AES-256-GCM) and write-only (never returned by the API). Crucially, the real key never enters a sandbox at all: it’s sealed into an opaque token, and a host-side proxy swaps in the real value only on the outbound HTTPS call to api.anthropic.com (scoped by an egress allowlist). So it’s never exposed to the model, never in the agent’s prompt or code, and never in the VM — see Secrets. A credential is required — a session with no resolvable key fails to start (422 no_credential). The easiest way to add one is inline when you create an agent ("key": "sk-ant-…"). The standalone resource below is for reusing one key across agents, setting an org default, and rotating/removing keys: 
curl https://api.opencomputer.dev/v3/credentials \
  -H "Authorization: Bearer $OPENCOMPUTER_API_KEY" \
  -d '{ "provider": "anthropic", "key": "sk-ant-…", "name": "prod" }'
# → { "id": "cred_…", "provider": "anthropic", "last4": "…", … }

# make it the default for this provider
curl -X PUT https://api.opencomputer.dev/v3/credentials/default \
  -H "Authorization: Bearer $OPENCOMPUTER_API_KEY" \
  -d '{ "credential": "cred_…" }'
Resolution per session: the agent’s credential → your org default for the provider. (No platform-billed fallback yet — bring a key.)
Additional model providers, model hot-swap, and platform-billed usage are coming soon — they use this same credential shape, so your setup won’t change.