SDK

Authentication & scopes

The SDK authenticates with a Maritime API key (mk_…). It lives on your server and never touches a browser.

Get a key

Mint one from the dashboard (Settings → API keys) or with maritime keys create. Set it as MARITIME_API_KEY and both SDKs pick it up automatically.

The Maritime dashboard API keys page with the scope picker open
A default key is full-access; open Advanced to scope it down.

Scopes

Every key carries scopes. Hand a subsystem the narrowest key it needs. A leaked key can then only do what its scope allows. manage is a wildcard.

ScopeGrants
provisioncreate agents
deploystart / stop / restart / sleep / chat
secretsread / write env vars
manageeverything, incl. delete + key management (wildcard)

Mint a scoped key

A background worker that only chats to existing agents needs deploy, not provision, secrets, or manage. Minting keys itself requires a manage key.

const worker = await maritime.keys.create({
  name: 'chat-worker',
  scopes: ['deploy'],   // chat/start/stop only
})
// worker.rawKey is shown once. Hand it to the worker as MARITIME_API_KEY.
A key sent as a session token (dashboard) and an admin key are always full-access. Scope enforcement applies to user mk_ keys, so restricted keys are genuinely restricted.