Skip to main content
The Neo API authenticates with an API key — a long-lived secret you create in the dashboard and send as a bearer token on every request. A key belongs to the tenant that created it and carries that tenant’s access, so you never pass a client or tenant id yourself.

Create an API key

API keys are created in the dashboard, by an admin, under Roles & Access.
1

Open the API Keys tab

Go to Roles & AccessAPI Keys. You’ll need the Admin role — only admins can manage keys.
2

Create the key

Click Create API key, give it a recognisable name (e.g. Billing export script), and optionally set an expiry. Leave the expiry blank for a key that never expires.
3

Copy it now

The key is shown once, right after creation. Copy it and store it somewhere safe — you can’t retrieve it again later.
Your API key is shown only once and can’t be recovered. If you lose it, rotate or revoke it and issue a new one. Anyone with the key can act on your tenant through the API, so treat it like a password.
A key looks like this — neo_sk_, the environment, then a random secret: 
neo_sk_prod_AbCdEf0123456789AbCdEf01

Authenticate a request

Send the key in the Authorization header as a bearer token: 
curl https://api.neoagent.io/public-api/agents \
  -H "Authorization: Bearer neo_sk_prod_AbCdEf0123456789AbCdEf01"
That’s the only credential a request needs. The key resolves to your tenant on Neo’s side — there is no separate tenant or client header.

Rotating and revoking keys

Manage existing keys from the same API Keys tab:
ActionWhat happens
RotateIssues a fresh key immediately and keeps the current key working for 24 hours, so you can roll it out without downtime. After 24 hours the old key stops working.
RevokeDisables the key immediately and permanently. Any integration still using it stops working at once.
Use one key per integration and name it for that integration. That way you can rotate or revoke a single consumer without touching the others, and the Last used column tells you which keys are still live.

Security best practices

  • Store keys in a secrets manager or your platform’s environment configuration — never commit them to source control.
  • Don’t embed keys in browsers, mobile apps, or anything a customer could inspect — the API is for server-to-server use.
  • Rotate on a schedule, and immediately if a key may have leaked.
  • Set an expiry on keys meant to be short-lived.
Keys can’t create other keys — minting and rotating keys is an admin-only dashboard action. The dashboard itself signs in with your Microsoft account rather than an API key; API keys are for your own scripts and integrations.

What’s next

Make your first request

List your agents and read the response envelope.