# Secure Agent Endpoints with API Keys

API key security protects platform-hosted API agent endpoints at the gateway. When enabled, callers must send a valid agent API key in the `X-API-Key` header.

API key security is enabled by default for API agents. You can turn it off or on when deploying the agent, and you can create and revoke keys from **Credentials** under the **SECURITY** section in the agent sidebar.

## Prerequisites[​](#prerequisites "Direct link to Prerequisites")

* A platform-hosted API agent created in a project.
* At least one deployment environment available for the agent.

## Step 1: Verify API Key Security During Deployment[​](#step-1-verify-api-key-security-during-deployment "Direct link to Step 1: Verify API Key Security During Deployment")

1. Open the AMP Console and select your project.
2. Open the API agent you want to secure.
3. Click **Deploy**.
4. Click **Configure & Deploy**.
5. In the deploy drawer, under **Endpoint Authentication**, verify that **Enable API key security** is turned on.
6. Deploy the agent.

This step is optional for new API agents because API key security is turned on by default. Use it to confirm the setting before deployment, or to re-enable API key security if it was previously turned off.

The setting is applied through the agent's deployment configuration. If you change the setting later, redeploy the agent so the gateway policy is updated.

## Step 2: Create an Agent API Key[​](#step-2-create-an-agent-api-key "Direct link to Step 2: Create an Agent API Key")

1. Open the deployed agent.
2. In the left sidebar, under **SECURITY**, click **Credentials**.
3. Click **Create API Key**.
4. Enter a display name, such as `production-client`.
5. Select an expiry date.
6. Click **Create**.
7. Copy the generated key immediately.

The full API key is shown only once. After you leave or dismiss the success message, the console only shows the masked key value, status, and expiry date.

## Step 3: Invoke the Agent with the API Key[​](#step-3-invoke-the-agent-with-the-api-key "Direct link to Step 3: Invoke the Agent with the API Key")

Send the key as the `X-API-Key` header when calling the deployed agent endpoint:

```
curl -X POST "<agent-invoke-url>" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: <agent-api-key>" \
  -d '<request-body>'
```

Replace `<agent-invoke-url>`, `<agent-api-key>`, and `<request-body>` with the values for your agent.

## Step 4: Revoke an API Key[​](#step-4-revoke-an-api-key "Direct link to Step 4: Revoke an API Key")

1. In the left sidebar, under **SECURITY**, click **Credentials**.
2. Find the key you want to disable.
3. Click **Revoke**.

Revoked keys can no longer authenticate requests to the agent endpoint. Create a new key when a client needs replacement credentials.

## Testing from the Console[​](#testing-from-the-console "Direct link to Testing from the Console")

The agent **Test** page can call secured API agents without requiring you to create a long-lived user key for the test flow. When API key security is enabled, the console issues a short-lived test key for the selected environment and sends it as the `X-API-Key` header.

This test key is reserved for console Try-It usage and is not listed in the **Credentials** section.

## Notes[​](#notes "Direct link to Notes")

* API key security applies to platform-hosted API agents.
* The header name is fixed as `X-API-Key`.
* API key security is enabled by default for API agents.
* If **Credentials** says API key security is disabled, enable it from **Deployment** settings and redeploy the agent.