Developer Reference5 min read

API Keys

Account-scoped bearer tokens for the REST API and MCP server. Pick scopes, restrict to specific projects, revoke when no longer needed.

API Keys

API keys are account-level bearer tokens for the REST API and the MCP server. Pick the scopes a script needs, restrict it to specific projects if you want, and revoke when the script is retired.

The project key in your install snippet identifies a project to the SDK and the tracking endpoints. API keys are different — they're for everything else: REST API calls from your backend, CI scripts that read or modify tests, and the MCP server for AI assistants. You only need API keys if you're automating Otter A/B from code.

Manage keys under Settings → API & MCP. The page has a creation form, a list of existing keys (with prefixes so you can identify them) and a Revoke button on each. Owners and admins can manage keys; members and viewers can't see this page.

Creating a key

  1. 1. Name it. Give it a clear name — like “CI pipeline” or “Claude desktop”. The name shows up in the Existing Keys list and helps future-you remember which automation owns the key.
  2. 2. Pick environment. Live for production automations, Test for local development or staging tools. The token prefix is oab_live_ or oab_test_ accordingly. It's an organizational label today, not a behavioral switch.
  3. 3. Pick scopes. Check only what the script needs. Narrower keys are safer if one ever leaks. See the table below for what each scope covers.
  4. 4. Optionally restrict to projects. Leave Project Access unchecked for an all-projects key. Check specific projects to limit the key to those — useful for per-site CI pipelines.
  5. 5. Copy the token. After you submit, the full token appears once under Copy This Token Now. Paste it into your secrets manager immediately — the dashboard won't show the full secret again.

Available scopes

projects:read

List projects and read project settings.

projects:write

Create, update, and delete projects.

experiments:read

List tests, read variants, goals, and configuration.

experiments:write

Create, update, and delete tests, variants, and goals.

results:read

Fetch test results, statistics, and per-variant numbers.

account:read

Read account-level metadata (plan, members, branding).

api_keys:write

Create and revoke other API keys via the REST API.

sdk:write

Server-side calls to the same endpoints the browser SDK uses (init, track, convert).

Revoking a key

Open Settings → API & MCP, find the key in the Existing Keys list, and click Revoke. The key stops working immediately — any script using it will start getting authentication errors. The revoked key stays in the list with a Revoked badge so you have a record of what was issued and when it was retired. Revoking is one-way; to restore access, create a new key.

Keeping keys safe

Store keys in a secrets manager. 1Password, Doppler, your CI's encrypted environment variables — never in a public repo or chat message. Treat them like passwords.

One key per automation. Each script, runner, or assistant gets its own named key. That way, revoking one doesn't break the others, and the activity trail tells you who used what.

Use the narrowest scopes that work. A read-only reporting script doesn't need experiments:write. If a script only fetches results, give it only results:read.

Rotate when in doubt. If you suspect a key has leaked — even uncertainly — revoke it and issue a new one. The cost is minutes of script re-configuration; the cost of a compromised key is much higher.

Frequently asked questions

Quick answers to the questions teams ask most about this part of Otter A/B.