Personal keys
A personal key acts as you: your role, your projects, your permissions. Any signed-in user can create one. Good for scripts you run yourself and for trying the REST API. The catch is that a personal key dies with its owner’s access. The person who wired up your reporting pipeline leaves the agency, you remove their login, and every integration they keyed breaks at midnight.Organization keys
An organization key belongs to the org itself. It’s a service account: it survives turnover and offboarding because it was never attached to a person. The agency’s reporting pipeline, the Slack bot, the data warehouse sync all keep running no matter who comes or goes.- Who can create them: owners and admins only. Members and clients never see org keys.
- What they can do: full read and write access to all org data. Every project, every run, every report.
- What they can’t do: govern the org. An org key can’t invite members, change roles, touch billing, or mint other keys. Those actions need a human with the right role.
- Seats: org keys are service accounts. They never hold a seat.
Creating a key
- Open API Keys in the sidebar.
- Name the key (e.g. “CI integration”, “Slack bot”) and pick the scope: personal or organization.
- Pick an expiry. Never, 30, 90, or 180 days.
- Copy the secret immediately. It’s shown exactly once. Lose it and you revoke and re-create.
MCP and your organization
The MCP server uses OAuth, so there’s no key to copy. When your agent connects, the session binds to your active organization, and the agent can do whatever your role allows: an owner’s agent manages everything, a member’s agent works its assigned projects, a client’s agent reads its one dashboard. API and MCP calls are metered per org per month, with allowances that scale by plan. The Usage page shows where you stand, andGET /api/me/limits returns the same numbers programmatically.