Agent Kit uses three different secrets. Mixing them up is the most common integration mistake. Use this page as a single reference.
At a glance
| Credential | Issued where | Lifetime | Store on |
|---|
| Application API key | Dashboard → Agentic Stack → Overview | Long-lived (rotate in dashboard) | Backend env / MCP Authorization only |
Per-agent apiKey | createAgent / REST POST /agents response | Long-lived per agent | Backend if you scope MCP per user; optional |
Wallet accessKey | createAgent → wallet.accessKey (once) | One-time at creation | Encrypted DB on your backend |
The dashboard API key is not the wallet accessKey. The app key authenticates to Agent Kit; the access key signs on-chain and x402 payments.
Application API key
What it is: Kong key-auth for your application. Same key used across Wallets, Bundler, Relayer, Paymaster, and Agent Kit for that app.
Use for:
@abstraxn/agent-kit → AgentKitClient({ apiKey })- MCP →
Authorization: <key> or X-API-Key: <key>
- Your backend env:
ABSTRAXN_API_KEY, AGENT_KIT_API_KEY, MCP_SERVER_AUTH_TOKEN
Behavior with MCP:
tools/list and catalog-discovery tools (per inputSchema) work without any agents.- Wallet-scoped tools (see live
tools/list schemas) need at least one active agent created via SDK/REST.
- If you have multiple active agents, pass
agent_id in tool arguments (or X-Agent-Id on the HTTP request).
Never: Put in frontend bundles, public repos, or browser localStorage.
Per-agent API key (agent.apiKey)
What it is: Optional customer-scoped key returned when you create an agent. MCP treats it as bound to that agent only.
Use for:
- MCP
Authorization when a single integration should only ever act as one agent (omit agent_id).
- Per-tenant BFF or worker that only serves one end user.
Do not confuse with: Application API key from Overview (broader scope).
Wallet accessKey
What it is: P-256 server-wallet credential from Abstraxn wallet provisioning. Returned once inside createAgent() → wallet.accessKey.
Use for:
- Signing unsigned transfer intents from MCP.
- Building
paymentPayload for paid x402 tools after paymentRequired (-32402).
AgentKitClient.getServerSigner().authenticate({ userIdentity, accessKey })
Store: Encrypt at rest (AES-256-GCM with ENCRYPTION_KEY on your backend). You cannot retrieve it again from Agent Kit if lost — create a new agent/wallet flow.
Never: Expose to the browser, LLM prompts, or MCP clients running on a developer laptop without a local signer you trust.
Environment variables (sample backend pattern)
| Variable | Maps to | Required when |
|---|
ABSTRAXN_API_KEY / AGENT_KIT_API_KEY | Application API key | SDK + REST + MCP from backend |
AGENT_KIT_BASE_URL | REST host (no /mcp) | Dev/staging override |
MCP_SERVER_URL | https://…/mcp | Backend LLM loop |
MCP_SERVER_AUTH_TOKEN | Same as application API key | Backend MCP client |
ENCRYPTION_KEY | 32-byte secret for accessKey at rest | Any signing in production |
Authorization: <application-api-key>
X-API-Key: <application-api-key>
X-Agent-Id: <agent-uuid>
X-User-Identity: <your-stable-user-id>
{ "agent_id": "<agent-uuid>", "chain": "base" }
Decision tree
