Scoped API Key Pattern

The security practice of creating a dedicated account or API key per AI agent, with the minimum permissions that agent actually needs. Prevents an agent from having unintended write access, enables per-agent spend tracking, and isolates blast radius if credentials are leaked.

Key points

• Create a separate account (e.g., UpAI in ClickUp) rather than sharing your personal credentials with Claude Code ^[src-013]
• Set API permissions to the minimum required: if the AIOS only needs to read tasks and create comments, don't grant full admin access ^[src-013]
• Per-account API keys enable spend tracking by agent — useful for billing analysis and debugging runaway automation ^[src-013]
• Nate: "I created an account called UpAI. And now I give my UpAI API key to Claude Code rather than my own personal API key. Per API key or per account, you can set different permissions." ^[src-013]
• In client delivery, Nate extends the pattern to ownership: the client should own API accounts and billing from the start, while the builder guides setup and avoids becoming the billing intermediary ^[src-016]
• Secrets belong in environment/config layers such as .env, not embedded in CLAUDE.md, workflow text, or handover documentation ^[src-016]
• For Hermes, Nate recommends treating each assistant like a new employee or intern: create named accounts and keys for the agent, give only the permissions it needs, and keep OpenRouter, Perplexity, Telegram, GitHub, and other credentials scoped and observable ^[src-074].
• This becomes more important as agents multiply. Separate Hermes containers should not all reuse the same broad personal API keys because spend, mistakes, and compromise become harder to attribute ^[src-074].
• Roberts's Apollo skill example extends the same pattern to API-backed sales-data connectors: store credentials in environment variables, expose only the workflow the agent needs, and avoid putting secrets into memory or prompts ^[src-079].
• For Gmail and Calendar connectors, Roberts explicitly favors least access: draft email before send authority, and calendar permissions chosen around the actual assistant job ^[src-079].

Related entities

• ClickUp — primary example: UpAI account with scoped ClickUp API key
• Anthropic — recommends principle of least privilege for agent credentials

Related concepts

• Four C's of an AI Operating System — C2 (Connections) is where scoped keys are created
• AIOS Tier-One Domains — each domain integration should have its own scoped key
• MCP vs CLI Token Trade-off — related decision; direct API calls need API keys to manage
• AI Project Delivery and Handover Playbook — where client-owned keys become part of the handover model
• Personal Agent Container Isolation
• Agent Security Boundaries
• Cross-Harness Memory Bridge

Source references

• ^[src-013] Nate Herk — "Build & Sell Claude Code Operating Systems (2+ Hour Course)" (2026-05-01)
• ^[src-016] Nate Herk — "Build & Sell with Claude Code (10+ Hour Course)" (2026-03-12)
• ^[src-074] Nate Herk — "Hermes Agent: Zero to Personal AI Assistant (1 Hour Course)" (2026-05-10)
• ^[src-079] Jack Roberts — "Hermes Agent just got 10X Better (Agentic OS)" (2026-05-15)