Agent Service Keys
Let AI agents call x402-protected APIs automatically — billed to your Metered account.
Agent Service Keys let you link any ERC-721 agent NFT to your RelAI account and issue a scoped service key. The agent uses that key on every request — RelAI identifies the agent, pays the x402 fee from your Metered account, and returns the API response. The agent never touches crypto.
The EVM network is only relevant once — when you link the agent to verify NFT ownership. After that, the sk-agent-... key is just a plain API key with no blockchain dependency.
Scoped key
Each sk-agent-... key is tied to a specific agent ID and contract
On-chain verified
Ownership checked against the NFT contract — no gas required
OAuth consent flow
Agents can request keys programmatically without a browser
How It Works
Step 1 — Prove You Own the Agent
RelAI generates a challenge message. You sign it with the wallet that owns the agent NFT. The backend verifies the signature and confirms on-chain ownership. No gas required.
Step 2 — Get the Service Key
Once ownership is confirmed, RelAI issues an sk-agent-... key tied to your account, the agent's contract address, and token ID.
Step 3 — Agent Calls APIs with Two Headers
The agent passes two headers on every request. RelAI identifies the agent, finds your Metered account, and pays the x402 fee automatically.
X-Service-Key: sk-agent-<your-key> X-Agent-ID: 1
Calling APIs as an Agent
Agents call APIs through the Metered endpoint — RelAI handles x402 payment automatically from your custodial wallet balance.
Metered Relay Shortcut
Call any RelAI-hosted API directly. RelAI detects the x402 requirement, pays it from your Metered wallet, and returns the API response.
curl https://relai.fi/metered/{apiId}/api/endpoint \
-H "X-Service-Key: sk-agent-..." \
-H "X-Agent-ID: 1"Metered Proxy — Any External API
Proxy any external x402-protected URL.
curl "https://relai.fi/metered/x?url=https://api.example.com/data" \ -H "X-Service-Key: sk-agent-..." \ -H "X-Agent-ID: 1"
How Does the Agent Know to Use RelAI?
An agent never discovers RelAI on its own — the person deploying the agent tells it to use RelAI for payments, the same way they configure any other API credential (OpenAI key, database URL, etc.).
The agent is started with one of the following:
Environment variables
RELAI_CONSENT_URL=https://relai.fi/agent-keys/consent/initiate RELAI_API_ID=1772665023009
The agent sees these at startup, initiates the consent flow, and retrieves a key automatically.
Config file
{
"paymentProvider": "relai",
"relai": {
"consentUrl": "https://relai.fi/agent-keys/consent/initiate",
"apiId": "1772665023009"
}
}Already have a key? Skip the flow entirely
RELAI_SERVICE_KEY=sk-agent-... RELAI_AGENT_ID=1 RELAI_API_ID=1772665023009
If a key was issued before (manually from the dashboard or from a previous consent), the agent can use it directly — no consent flow needed.
Tip: The consent flow is only needed once per agent. After the key is issued, the agent stores it and reuses it for all future requests — no re-authentication required.
OAuth Consent Flow
For autonomous agents that can't open a browser, RelAI supports a programmatic consent flow similar to OAuth device authorization. The agent requests access, the user approves via a link, and the agent retrieves the key — without ever having the user's credentials.
1. Initiate
curl -X POST https://relai.fi/agent-keys/consent/initiate \
-H "Content-Type: application/json" \
-d '{
"agentPubKey": "0xABC...",
"agentId": "1",
"contractAddress": "0x8004...",
"network": "skale-base",
"agentName": "My Trading Bot",
"label": "Trading Bot"
}'{
"consentToken": "4f119402c96d15a08e3f27775aef0898",
"authorizeUrl": "https://relai.fi/authorize?token=4f119402...",
"expiresAt": "2026-03-06T14:00:00Z"
}2. User Approves
The user opens authorizeUrl in a browser, logs in to RelAI, and clicks Allow. No wallet signing required. The link expires after 15 minutes and can only be used once.
3. Poll for Approval
curl https://relai.fi/agent-keys/consent/status/4f119402...
# → { "status": "approved", "retrieveNonce": "abc123..." }Possible statuses: consent_pending · approved · rejected · expired · retrieved
4. Retrieve the Key
The agent signs the retrieveNonce with its private key to prove it controls the keypair declared at initiation. The key is delivered only once.
import { ethers } from 'ethers';
const wallet = new ethers.Wallet(AGENT_PRIVATE_KEY);
const status = await fetch('/agent-keys/consent/status/' + token).then(r => r.json());
const sig = await wallet.signMessage(status.retrieveNonce);
const { key } = await fetch('/agent-keys/consent/retrieve', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ consentToken: token, signature: sig })
}).then(r => r.json());
// key = 'sk-agent-...'API Reference
/agent-keys/consent/initiatePublicStart the consent flow. Returns a consentToken and authorizeUrl.
| Field | Type | Required | Description |
|---|---|---|---|
| agentPubKey | string | required | Agent's public key (EVM address or any unique identifier) |
| agentId | string | optional | Token ID of the agent NFT |
| contractAddress | string | optional | ERC-721 contract address |
| network | string | optional | EVM network name or custom RPC URL |
| agentName | string | optional | Human-readable agent name shown in the consent UI |
| label | string | optional | Label for the issued key |
/agent-keys/consent/status/:tokenPublicPoll consent status. Returns retrieveNonce when approved.
/agent-keys/consent/retrievePublicRetrieve the service key. Requires agent signature of retrieveNonce.
| Field | Type | Required | Description |
|---|---|---|---|
| consentToken | string | required | Token from initiate response |
| signature | string | required | Signature of retrieveNonce using the agent's private key |
/agent-keysBearer JWTList all agent keys linked to your account.
/agent-keys/:keyIdBearer JWTRevoke an agent key permanently. Immediate effect.
Security Model
- Ownership verified on-chain — You can't link an agent you don't own — the NFT contract is queried directly.
- Scoped key — The sk-agent-... key only works with the specific X-Agent-ID it was issued for.
- Keypair challenge — In the OAuth flow, the key is delivered only to the agent that holds the matching private key (signs retrieveNonce).
- Revocable at any time — One click in the dashboard removes the key permanently — with a confirmation prompt.
- No credential exposure — The agent never sees your private key or your RelAI JWT token.
- Payments enforced — Agents must go through the Metered endpoint — direct relay access still requires x402 payment.
Dashboard
Manage agent keys from Dashboard → Agent Keys.
Link Agent
Enter contract address, token ID, and network. Connect MetaMask and sign the challenge (no gas). Key is issued immediately.
Revoke Key
Click the trash icon next to a key. A confirmation dialog appears before permanent deletion. Takes effect immediately.