API Keys

API keys let you connect external tools and scripts to your AgentKanban boards. Each key grants access to specific boards (or all boards) with either read or edit permissions. Any organisation member can create API keys and they are personal to the creating user.

The API key primarily allows interaction via MCP for AgentKanban IDE / agent harness extensions.

API keys can also be used for:

• MCP servers -- connect AI coding assistants to read and update your boards
• CI/CD pipelines -- automatically move tasks between lanes on deploy
• Custom scripts -- bulk-create tasks, export board data, or sync with other tools

Creating an API key

1. Go to Settings > API Keys
2. Click Create API key
3. Enter a descriptive name (e.g. "CI Pipeline", "MCP Server")
4. Choose a board access mode:
   • All boards -- grants access to every board you can access in the organisation, including boards you gain access to in the future
   • Specific boards -- select individual boards and permission levels
5. Set the permission level:
   • Edit (default) -- read plus create, update, delete, and move tasks/lanes
   • Read -- list boards, lanes, and tasks
6. Click Create key

A green banner will show your new API key. You can reveal it again later from the key list.

All-boards keys

When "All boards" is checked, the key dynamically inherits your board access. If you gain access to a new board later, the key automatically works with it. The effective permission on each board is capped at the lower of:

• The permission level you set on the key (e.g. Read or Edit)
• Your actual permission on the board

For example, if you create an all-boards key with Edit permission but only have Read access to a particular board, the key will have Read access to that board.

Per-board keys

When "All boards" is unchecked, you add individual board grants. Each grant specifies a board and a permission level. The key can only access boards you have explicitly granted.

Revealing a key

API keys can be revealed at any time from the key list:

1. Go to Settings > API Keys
2. Find the key and click Reveal next to the key prefix
3. The full key is shown inline -- click Copy to copy it, or Hide to conceal it again

The key is stored encrypted and can be revealed whenever you need it.

Managing board access

For per-board keys, you can edit which boards the key can access after creation:

1. Find the key in the list and click Manage boards
2. Add or remove board grants and adjust permission levels
3. Click Save to apply the changes

All-boards keys do not have individual board grants to manage -- their access is automatic.

Using an API key

Include the key in the Authorization header of your HTTP requests:

Authorization: Bearer ak_YourApiKeyHere

All external API endpoints are under /api/ext/v1/. See the External API guide for full endpoint documentation with request/response examples.

MCP Connection panel

The API Keys page includes an MCP Connection panel that shows:

• The MCP endpoint URL for the current host (https://www.agentkanban.io/api/mcp/v1 in production)
• A copy action for the endpoint URL
• An example MCP configuration snippet you can copy into tools like VS Code or Claude Desktop

This panel is there to help you configure IDE integrations without needing to look up the endpoint manually.

Recommended storage

• Store raw API keys in a password manager, secrets manager, or IDE secret store.
• The VS Code extension stores its API key in VS Code SecretStorage, not in normal settings.

Rate limits

API keys are rate-limited to protect the service. Default limits:

• 60 requests per minute per key
• 1,000 requests per hour per key

When rate-limited, you will receive a 429 response with a Retry-After header indicating when to retry (in seconds).

Revoking a key

1. Go to Settings > API Keys
2. Find the key and click Revoke
3. Confirm the revocation

Revoked keys stop working immediately. Revoked keys are shown in a collapsed section at the bottom for reference.

Webhooks

You can attach webhooks to API keys to receive HTTP callbacks when events occur on your boards. Each webhook is linked to a specific API key and only fires for events on boards that key can access.

For full documentation on setting up, verifying, and managing webhooks, see the Webhooks guide.

Security notes

• API keys are personal to the creator -- only you can see and manage your own keys
• Administrators cannot view or revoke your API keys directly
• Administrators can remove your board access through the board's share dialog, which automatically revokes matching per-board API key grants
• All-boards keys dynamically reflect your current board access -- if an admin removes your access to a board, the key immediately loses access to it
• The raw key is encrypted at rest (AES-256-GCM) and can be revealed by the creator at any time
• A SHA-256 hash is used for authentication lookups, so even a database breach does not expose usable keys in plaintext
• Per-board keys grant access to specified boards only -- they cannot access other boards or manage the organisation
• All-boards keys are capped at the creator's actual board permission, so they never grant more access than the creator has
• Each key shows its prefix (ak_abc12345...) for identification without exposing the full key