Every request to the Volta Agent Bridge — whether through the MCP server, the REST API, or the SDK — is authenticated with an API key. API keys are tied to your organization and grant full access to the Agent Bridge surface. There are no scoped or read-only keys; if you need to limit access, create a dedicated key per agent and revoke it when it’s no longer needed.
Getting your API key
Open API Keys settings
In the Volta dashboard, navigate to Settings → API Keys.
Create a new key
Click Create New Key and give it a descriptive name. Use names that identify the consumer, such as Claude Code agent, CI pipeline, or content-bot-prod. This makes it easy to audit usage and revoke individual keys without disrupting other integrations.
Copy your key immediately
The full key value is shown exactly once, immediately after creation. Copy it to a secure location now — Volta does not display it again. If you lose a key, delete it and create a new one.
Using your API key
REST API
SDK
MCP — URL key (simplest)
MCP — Bearer token
Pass your API key as the value of the Authorization header on every request. Do not prefix it with Bearer.curl -H 'Authorization: your-api-key' \
https://your-instance.com/public/v1/integrations
/public/v1 endpoints accept this header. Pass your API key as the first argument to the Postsider constructor. The second argument is your instance base URL.import Postsider from '@postsider/node';
const client = new Postsider(
'your-api-key',
'https://your-instance.com'
);
// All SDK methods automatically include the key
const channels = await client.integrations();
Authorization header automatically — you never need to set it again after construction. Embed your API key directly in the MCP server URL. This is the easiest method and works with any MCP-compatible client.https://your-instance.com/mcp/your-api-key
url value in your MCP client config (see MCP Overview for full setup steps). If your MCP client supports custom headers, you can keep the key out of the URL by sending it as a Bearer token to the base /mcp endpoint.Authorization: Bearer your-api-key
Endpoint: https://your-instance.com/mcp
Key expiration and rotation
API keys never expire automatically. They remain valid until you delete them from Settings → API Keys. There is no automatic rotation — if you suspect a key has been compromised, delete it immediately and issue a new one.
Rate limiting
The Public API enforces a limit of 60 requests per minute per organization. All responses include rate-limit metadata in standard headers:
| Header | Description |
|---|
X-RateLimit-Limit | Maximum requests allowed in the window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
429 Too Many Requests. Your agent should read X-RateLimit-Reset and back off until the window resets before retrying.
Auth errors
| Status | Meaning | Fix |
|---|
401 Unauthorized | API key is missing or invalid | Check that the Authorization header is present and the key value is correct |
402 Payment Required | Subscription limit reached for channels or posts | Review your plan limits in Settings → Billing |
429 Too Many Requests | Rate limit exceeded | Wait for the window to reset (see X-RateLimit-Reset) then retry |
Best practices
Create a separate API key for each agent, integration, or pipeline. Named keys make it easy to see which system made which requests in your audit log — and if one key is ever compromised, you can revoke it without affecting any other consumer.
Never commit API keys to source code or check them into version control. Use environment variables or a secrets manager (such as VOLTA_API_KEY in your .env file) and make sure .env is in your .gitignore. A leaked key gives full Agent Bridge access to anyone who finds it.
