CueAPI
Get API Key

API Key Scope

Exactly what a CueAPI API key can and cannot do.

TL;DR

A CueAPI API key grants full account-level access to everything owned by the user it was issued to. There are no narrower scopes today — one key can do anything the account can do via REST. Treat it as a password.

What a key can do

Any REST endpoint that takes Authorization: Bearer cue_sk_... will accept the key, including:

  • Cues — create, list, get, update, pause, resume, delete, fire manually
  • Executions — list, claim (worker transport), heartbeat, report outcome, replay, verify
  • Outcomes and evidence — write-once outcome reports with external_id, result_url, artifacts, summary
  • Alerts — list, acknowledge
  • Usage — read usage stats
  • Billing — create Stripe checkout sessions, open customer portal
  • Auth metadata — current user, regenerate webhook secret, regenerate API key itself

The REST surface is enumerated in the API Reference.

What a key cannot do

  • Act on another user's account
  • Bypass rate limits (per-minute and per-plan caps apply)
  • Bypass plan limits (active cue cap, monthly executions, etc.)
  • Access raw webhook signing secrets of other users
  • Perform any action not represented in the public REST API

MCP inherits the key's scope

The MCP server is a thin proxy — eight tools, each mapping to a REST call with Authorization: Bearer $CUEAPI_API_KEY. The agent cannot do anything through MCP that the key could not do through curl.

If you want to give an agent a narrower blast radius today, create a separate CueAPI account (or separate user inside a self-hosted deployment), isolate that account's cues, and issue the key from there. Finer-grained scopes are a roadmap item.

Key rotation

Rotate a key any time via POST /v1/auth/regenerate or from the dashboard. Old keys stop working immediately on rotation.

See Authentication for how keys are issued and the Security Authentication page for the underlying hashing model.

If a key leaks

  1. Rotate immediately.
  2. Audit recent executions in the dashboard or via GET /v1/executions.
  3. If outcome state looks tampered, open a support ticket — write-once outcomes are append-only, so the original record is still there.
NextIntroduction
How do I know if my agent ran successfully?
Ctrl+K