# API Key Permissions

Revenium API keys authenticate SDKs, middleware, OpenTelemetry exporters, CLI tools, MCP servers, and administrative integrations. Each scoped key prefix shows what the key is allowed to do. Use the narrowest key that supports the workflow you are configuring.

## Key Types

Every Revenium scoped API key carries a prefix indicating its permission scope:

| Prefix    | Scope               | Recommended use                                                                                                                                          |
| --------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `rev_mk_` | Metering-only       | Production applications, SDK ingestion, middleware, and OpenTelemetry exporters that only need to send metering events.                                  |
| `rev_sk_` | Write / full-access | MCP servers, administrative scripts, outcome-reporting workflows, provisioning tools, and integrations that need to create or modify Revenium resources. |
| `rev_rk_` | Read-only           | Dashboards, reports, audit tools, and internal automation that only needs to read Revenium data.                                                         |

## Choosing the Right Scope

Pick the narrowest scope that the integration needs:

* Use a metering-only (`rev_mk_`) key for SDK, middleware, and OTLP integrations that only send usage or telemetry data.
* Use a write/full-access (`rev_sk_`) key for MCP servers, account automation, provisioning scripts, and outcome-reporting workflows.
* Use a read-only (`rev_rk_`) key for dashboards, reports, or audit tooling that should not create or modify resources.

When a page gives integration-specific guidance, follow that page's key scope. For example, [OpenTelemetry Integration](/integrations/otlp-integration.md) uses `rev_mk_`, while [MCP Server](/integrations/mcp-server.md) uses `rev_sk_`.

## Creating and Managing Keys

Keys are managed on the **Connections → SDK Setup** page in the Revenium UI:

* **Create** — The Create Key dialog lets you pick the scope (Full Access / Read Only / Metering Only) and name the key before it's issued.
* **View** — The Revenium API Keys table shows each key's name, its scope, the last four characters of the secret, expiry, creator, and creation date. Only the last four characters of the secret are shown after creation — the full value is displayed only once, when the key is created.
* **Rename** — Click the pencil icon in the Actions column (or the key's name) to rename a key inline. Names are free-form and meant to describe where the key is used (e.g., "Production ingestion — us-east", "Finance dashboard").
* **Delete** — Use the delete icon in the Actions column to revoke a key.

## Key Format

Scoped keys have the shape:

```
{PREFIX}_{TENANT_ID}_{SECRET}
```

Where `PREFIX` is one of `rev_mk_`, `rev_sk_`, or `rev_rk_`; `TENANT_ID` is your encoded organization identifier; and `SECRET` is the secret key material.

{% hint style="warning" %}
**Treat API keys as secrets.** Do not commit keys to source control, paste them into chat logs, or share them in screenshots. Full-access keys can modify and delete resources; metering-only keys can still generate billable events. Revoke any key you suspect has been exposed.
{% endhint %}

## Related

* [Connections](/integrations/integrations.md) — overview of Provider Connections and SDK Integrations.
* [Integration Options for AI Metering](/integrations/integrations.md) — which SDK to use for which stack.
* [OpenTelemetry Integration](/integrations/otlp-integration.md) — using Revenium with standard OTEL exporters.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.revenium.io/integrations/api-key-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.