Scoped API keys for AI agents.
Give agents disposable keys with activation, token, and dollar limits. Works with OpenAI, Anthropic, Google, OpenRouter, and 7 more providers.
pip install till-ac
# Create a scoped key: 50 activations, 100K tokens, $5 budget
from till import TillClient
client = TillClient(admin_key="till_admin_...")
key = client.create_key(
provider="openai",
upstream_key="sk-proj-...",
max_activations=50,
max_tokens=100_000,
max_spend_cents=500, # $5.00
)
# Agent uses it as a drop-in API key
from till.openai_compat import patched_openai
ai = patched_openai(key.scoped_key)
ai.chat.completions.create(model="gpt-4o", messages=[...])Three controls on every scoped key.
Activations and conservative token/spend capacity are reserved before forwarding, then settled to provider-reported usage.
Activation limits
Each proxied request burns one activation. Hit the cap, the key dies. Perfect for sandboxed agent runs.
Token limits
Budgeted generation requests must declare an output-token cap. Till reserves a conservative bound before dispatch and settles it to reported usage.
Spend budgets
Spend-limited requests require a model in Till's pricing table. Estimates settle from provider-reported usage and may differ from provider invoices.
No upstream credential storage
Upstream keys are AES-256-GCM encrypted into the scoped token and are not stored in Till's database.
12 providers
OpenAI, Anthropic, Google, OpenRouter, Mistral, Groq, Together, Fireworks, Perplexity, DeepSeek, xAI, and Cohere.
Python SDK
pip install till-ac Three lines to create a key. Drop-in OpenAI compatibility.
Works with every major AI provider
Your upstream keys never touch our database.
When you create a scoped key, the upstream API key is AES-256-GCM encrypted and embedded directly in the scoped token. Our database stores only the activation counter and metadata.
Database compromise alone: the database does not contain upstream credentials. Protect scoped tokens as secrets: each token contains encrypted credential material and the service decrypts it while proxying authorized requests.
How it works
Four steps. Python SDK or raw HTTP.
Request beta access
New accounts are manually onboarded while verified-email signup is being completed.
Create scoped keys
Set activation, token, and dollar limits. Pick any of 12 providers.
Give to agents
Drop-in replacement. Point base_url at Till, use the scoped key as the API key.
Auto-expires
Whichever limit hits first kills the key. Revoke early from the dashboard.
Simple, transparent pricing
Controlled beta onboarding for new accounts. Existing customers can upgrade from the dashboard.
- 3 scoped keys
- 1,000 activations / month
- All 12 providers
- Token + dollar limits
- Dashboard + Python SDK
- 25 scoped keys
- 25,000 activations / month
- All 12 providers
- Token + dollar limits
- IP allowlisting
- Usage dashboard
- 100 scoped keys
- 250,000 activations / month
- All 12 providers
- Token + dollar limits
- IP allowlisting
- Usage dashboard