FinalApproval

API keys

One key per channel.Revocable in a click.

Every channel gets its own fa_ key. Your agent uses it to submit approvals. Lose it, leak it, or retire it without touching any of your other channels.

Start free
app.finalapproval.ai/dashboard/channels/new

New channel · Content publishing

Channel created

Ready

Shown once · copy it now

API key

fa_7b2a8c9e3f14d0e6a1b5c8d7e4f2a9c1b0e8d3f4a7b6c5d2e1f0a3b8c9d4e5f6
You'll never see this key again. Save it in your secret manager before you close this screen.

Send your first approval

curl https://www.finalapproval.ai/api/v1/approvals \
  -H "Authorization: Bearer fa_7b2a…" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Publish blog post",
    "body": "<p>Ready to ship.</p>",
    "agent_id": "blog-publisher"
  }'

Shown once

The raw key is displayed at creation. Never again.

We store a SHA-256 hash server-side. The plaintext exists only on the screen in front of you at creation time. That's the same contract Stripe, GitHub, and every other serious API uses.

  • SHA-256 hash on disk · plaintext only in the reveal screen
  • Copy-to-clipboard button with a quick confirmation
  • If you lose it, you rotate — there's no recovery, by design
storage

On your screen

fa_7b2a8c9e3f14d0e6a1b5c8d7e4f2a9c1…

On our disk

sha256: b14e…a902

Rotate without downtime

New key issued. Old key still works until you kill it.

Agents in production don't love being edited mid-shift. Rotation issues a new key alongside the existing one. You deploy, confirm traffic on the new key, then revoke the old one when you're ready.

  • Two keys can be live on a channel at once
  • Revoke the old key from the channel page with one click
  • All submissions are logged with the fingerprint of the key used
keys · chn_b12a

b14e…a902

active · 3m old

new

7f22…1c84

deprecated · 42 days old

revoke

Scoped to the channel

A leaked key only touches the channel it belongs to.

Keys aren't workspace-wide. Each one can only submit approvals to its own channel. Rate-limits and daily quotas are enforced per-key, so a runaway agent can't fill the disk for your whole workspace.

  • Per-channel scope · a leaked key can't escalate to other channels
  • Per-key rate limit and daily quota, configurable
  • Submission history by key fingerprint for forensics
per-channel scope

Content

fa_***

your key

Billing

fa_***

Deploys

fa_***

The Content key can't submit to Billing or Deploys. A leak stays in its lane.

Production-safe keys from minute one.

Create a channel. Copy the fa_ key into your agent. Revoke it if you ever need to.

Start free See how it works