> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyreach.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys and personal access tokens

> Two credential types and how to create them.

Anyreach has two kinds of bearer credential for the API. **Organization API keys** (`ak_`) belong to a single organization and carry it implicitly. **Personal access tokens** (`pat_`) belong to a user, work across every organization that user is a member of, and require you to name the target organization on each request.

Both are shown in full exactly once, at creation. Copy the secret then — it cannot be recovered afterward.

## Which credential to use

<table>
  <thead>
    <tr><th>Use an org API key (`ak_`) when</th><th>Use a personal access token (`pat_`) when</th></tr>
  </thead>

  <tbody>
    <tr><td>The credential acts for one fixed organization (a server, a CI job, a service integration).</td><td>You work across multiple organizations and want one credential for all of them.</td></tr>
    <tr><td>You want the organization baked in, with no extra header.</td><td>The credential is tied to you as a user and follows your access.</td></tr>
  </tbody>
</table>

## Organization API keys

Org API keys are created and managed on the **API Keys** page in your organization. Each key prints once as `ak_<id>.<secret>`; after that the table shows only the truncated key id and the key cannot be revealed again.

<Steps>
  <Step title="Open the API Keys page">
    Go to **API Keys** in the organization you want the key scoped to. The key inherits that organization permanently.
  </Step>

  <Step title="Create a key">
    Click **Create API Key**, enter a **Name**, and choose an **Expiration**. Presets range from 1 day to 365 days, plus **Never** and **Custom Date**.
  </Step>

  <Step title="Copy the secret">
    The dialog shows the full secret once. Use **Copy** to grab it, store it in a secret manager, then click **Done**. The secret is not shown again.
  </Step>
</Steps>

Under the hood, creation calls `POST /admin/organization-pats` with a `name` and an optional `expires_at`:

```bash theme={null}
curl https://api.anyreach.ai/admin/organization-pats \
  -H "Authorization: Bearer $ANYREACH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production server",
    "expires_at": 1767225600000
  }'
```

| Field        | Type    | Default  | Description                                                                    |
| ------------ | ------- | -------- | ------------------------------------------------------------------------------ |
| `name`       | string  | required | Label for the key. Must not be empty.                                          |
| `expires_at` | integer | `null`   | Expiry as an epoch timestamp. Omit or set `null` for a key that never expires. |

The response returns the full secret in `pat_key` exactly once. Subsequent list calls return only `key_id` (a truncated prefix), `name`, `expires_at`, and `created_at`.

<Warning>
  The full secret is returned only in the create response. If you lose it, delete the key and create a new one — there is no way to recover the original.
</Warning>

An org API key carries its organization, so you never send the `X-Anyreach-Org` header with it:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer ak_..."
```

## Personal access tokens

Personal access tokens belong to you as a user and work across every organization you can access. Create and manage them under **Account → Tokens**.

A personal access token does not carry an organization. You must name the target organization on each request with the `X-Anyreach-Org` header:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer pat_..." \
  -H "X-Anyreach-Org: $ANYREACH_ORG_ID"
```

Personal access tokens support a few operations org API keys do not:

| Operation                             | Org API key     | Personal access token |
| ------------------------------------- | --------------- | --------------------- |
| Rename after creation                 | No              | Yes                   |
| Works across all your organizations   | No (single org) | Yes                   |
| Requires `X-Anyreach-Org` per request | No              | Yes                   |

<Note>
  The PAT secret (the `pat_...` value) is returned only when the token is created. Renaming a token does not reveal the secret again.
</Note>

## Next steps

<CardGroup cols={2}>
  <Card title="Authentication" icon="key" href="/api-reference/authentication">
    The full token flow, the `Authorization` header, and the `X-Anyreach-Org` header for personal access tokens.
  </Card>

  <Card title="Connecting an MCP client" icon="plug" href="/mcp/connecting-a-client">
    Use either credential to connect a Model Context Protocol client to Anyreach.
  </Card>
</CardGroup>
