API Key Management

The API Key Management page in Horizon lets you create, configure, and revoke API keys used to authenticate programmatic access to the Horizon API. For full API documentation, see the API Reference > Authentication section.

Overview

API keys are bearer tokens that identify and authorize requests to the Horizon REST API. Every API key is associated with either a user or the organization, and its permissions are determined accordingly:

• User API keys inherit the creating user’s role and permissions. If the user’s role changes, the key’s effective permissions change too.
• Organization API keys are created by Admins or Owners and can be scoped independently of any user. Use these for service-to-service integrations and CI/CD pipelines.

Creating an API Key

1. Navigate to Settings > API Keys.
2. Click Create API Key.
3. Enter a name for the key — use something descriptive like “Production Backend” or “CI Pipeline”.
4. Select the key type: User Key or Organization Key (Organization Keys require Admin or Owner role).
5. Configure scopes (see below).
6. Set a rate limit override if you want to apply key-specific throttling.
7. Set an expiration date or select “No expiration.”
8. Click Generate.
9. Copy the key from the dialog — it is displayed only once.

Danger

Store your API key securely. Horizon cannot display the key again after creation. If you lose a key, you must revoke it and create a new one.

Scopes

Scopes define what an API key is authorized to do. When creating a key, select one or more scopes:

Scope	Description
conversations:read	Read conversation history and messages.
conversations:write	Create conversations, send messages, and interact with agents.
agents:read	List and view agent configurations.
agents:write	Create, update, and delete agents.
skills:execute	Execute skills directly via the API.
connections:read	View connection status and metadata.
connections:write	Create, update, and remove connections.
users:read	List and view user profiles.
users:write	Invite, update, and deactivate users.
billing:read	View wallet balances, transactions, and subscription details.
billing:write	Add funds, update subscriptions, and manage payment methods.
audit:read	View audit log entries.

You can also select All Scopes to grant full access. For Organization Keys, scopes can be further restricted to specific departments.

Tip

Follow the principle of least privilege. Grant only the scopes that the integration actually needs. A CI pipeline that deploys agents only needs agents:read and agents:write, not billing:write.

Rate Limits

Every API key is subject to rate limiting. The default rate limits depend on your subscription plan:

Plan	Requests per minute	Requests per day
Starter	60	10,000
Professional	300	100,000
Enterprise	1,000	Unlimited

You can set a lower rate limit on individual keys to prevent a single integration from consuming the organization’s entire quota. To set a key-specific rate limit:

1. Open the key’s detail page.
2. Click Edit Rate Limit.
3. Enter the per-minute and per-day limits.
4. Click Save.

Key-specific rate limits cannot exceed the organization’s plan limits. For higher limits, upgrade your subscription.

For detailed rate limiting behavior and response headers, see API Reference > Rate Limiting.

Expiration

API keys can be set to expire automatically. Available expiration options when creating a key:

• 30 days
• 90 days
• 1 year
• Custom date
• No expiration

Note

Keys approaching expiration trigger a notification 7 days before the expiry date. The notification goes to the key’s creator and all organization Admins. Expired keys return a 401 Unauthorized response.

After a key expires, it remains visible in the key list with an Expired status. You cannot reactivate an expired key — create a new one instead.

Managing Existing Keys

The Settings > API Keys page lists all keys in your organization. Each entry shows:

• Name — the descriptive name you assigned.
• Type — User Key or Organization Key.
• Creator — the user who generated the key.
• Scopes — a summary of assigned scopes.
• Created — the creation date.
• Expires — the expiration date, or “Never.”
• Last Used — the timestamp of the most recent API call.
• Status — Active, Expired, or Revoked.

Filtering and Searching

Use the filter bar to narrow the key list by:

• Status (Active, Expired, Revoked)
• Type (User, Organization)
• Creator
• Scope

Viewing Key Details

Click on any key to view its full configuration, usage statistics, and recent request log. The detail page shows:

• Total requests in the last 24 hours, 7 days, and 30 days.
• Error rate (percentage of requests that returned 4xx or 5xx responses).
• Top endpoints called.
• Rate limit utilization.

Revoking a Key

To immediately disable an API key:

1. Navigate to Settings > API Keys.
2. Click the key you want to revoke.
3. Click Revoke Key.
4. Confirm the action in the dialog.

Revocation is immediate — any in-flight requests authenticated with the revoked key will fail. Revoked keys remain visible in the list for audit purposes but cannot be reactivated.

Caution

Before revoking a key, verify that no critical integrations depend on it. Check the Last Used timestamp and recent request log to assess whether the key is still in active use.

Security Best Practices

• Rotate keys regularly — create a new key, update your integration, then revoke the old key.
• Use expiration dates — avoid creating keys with no expiration for production use.
• One key per integration — do not share a single key across multiple services. If one is compromised, you can revoke it without affecting others.
• Monitor usage — review the key detail page periodically to detect anomalous usage patterns.
• Use environment variables — never hard-code API keys in source code. Store them in environment variables or a secrets manager.