Move fast — without ever holding a raw key.
You want to ship agents, not babysit credentials. Swap the raw key for a HiveKey-scoped token and your agent keeps working — but now it's scoped, guarded, and logged by default. One line changes.
Speed and safety usually fight. Here they don't.
Raw keys are fast to wire and impossible to govern. HiveKey keeps the developer experience of a single token while moving control to the gateway.
Drop-in
Point your SDK at the HiveKey endpoint and pass a scoped token. No rewrite, no new framework to learn.
No secrets in code
Agents never see upstream credentials. Keys live in the vault; agents get short-lived scoped tokens.
Safe to experiment
Ship a new agent against a read-only role and graduate it to writes when it earns trust — all reversible.
From a raw key to a governed token.
Same call site, same SDK. The difference is what happens on the other side of the request.
# full access, no guards, no log client = Agent( api_key="sk-live-9f2a…raw", tools=[email, payments, crm], ) client.run( # can send anywhere, spend anything, # delete anything — and you'd never know )
# scope + guards live at the gateway client = Agent( api_key="hk_tok_support.responder", base_url="https://gw.hivekey.ai", tools=[email, payments, crm], ) client.run( # mail only to approved domains, # $0 spend cap, crm read-only — enforced )
Nothing else in your codebase changes. Scope, guards, and the audit trail are configured once as a role, not in your agent.
Governance you won't feel in the hot path.
<5ms
added p50 policy decision
illustrative, private beta
<12ms
added p99 policy decision
illustrative, private beta
99.9%
gateway availability target
design target
0
raw keys in your agent code
by design
Figures are design targets and private-beta measurements, not guarantees. We'll benchmark against your workload during evaluation.
Everything you need to wire it up.
Ship agents fast — and sleep at night.
Swap one key, keep your stack, and get scope, guards, and audit for free. See how it works, or talk to us.