cd /news/developer-tools/a-small-open-source-library-for-scop… · home topics developer-tools article
[ARTICLE · art-33109] src=dev.to ↗ pub= topic=developer-tools verified=true sentiment=↑ positive

A small open-source library for scoped, budgeted, time-bounded API keys

Katrina Laszlo released agentkey, an open-source library that adds scoped, budgeted, and time-bounded API keys to existing Postgres databases. The library addresses the need for per-key spend limits, particularly for AI agents that can rapidly consume budgets through parallel requests. It provides atomic budget enforcement and Express middleware, and is available under an MIT license.

read2 min views1 publishedJun 18, 2026

When I led self-serve at a usage-based data company, one of the most common feature requests was credit limits per API Key. People wanted to hand a key to a script, a teammate, or now an AI agent, and know it couldn't run up the whole bill. We get the same request at my current startup, Tanso.

Account-level and user-level limits exist — That's what enterprise quota systems are for. But they're heavy. For a startup there wasn't a simple drop-in. So I wrote one.

agentkey does four things:

AI agents made this urgent. An agent spends on its own — a loop or a bad prompt can burn a month's budget before anyone looks at a dashboard. And here's the part most tools miss: scoped keys tell you what an agent can do, not how much it can spend. LLM gateways cap spend. Identity platforms scope keys. Neither does both at the key level. agentkey does.

It's not a new auth system. It adds a few columns to your existing Postgres keys table and gives you a small API.

npm install @katrinalaszlo/agentkey

Create a key that's scoped, budgeted, and expiring:

import { AgentKey } from '@katrinalaszlo/agentkey';

const ak = new AgentKey({ pool }); // your pg Pool

const key = await ak.create({
  accountId: 'acct_123',
  scopes: ['proxy.chat'],
  budgetCents: 5000,        // $50 cap
  budgetPeriod: 'month',
  expiresIn: '7d',
  delegatedBy: 'user_456',  // the human who authorized this agent
});

Validate on each request, and track spend after a call:

const result = await ak.validate(key.key);
// { valid: true, scopes: ['proxy.chat'], budgetRemainingCents: 5000, ... }

await ak.trackUsage(key.key, { costCents: 15 }); // after an LLM call

Budget enforcement is atomic, so concurrent agent calls can't race past the cap — which matters, because agents fire requests in parallel. There's also Express middleware if you want it:

app.post('/api/proxy', agentKeyMiddleware(ak, { scope: 'proxy.chat' }), handler);

It's small and focused, extracted from a real production key system, MIT-licensed. It isn't trying to be Clerk or Auth0. If you already have a keys table and you want per-key spend caps without building a quota system, it's a few columns and a function call.

npm: @katrinalaszlo/agentkey · GitHub: katrinalaszlo/agentkey

source & further reading
dev.to — original article Hermes Agent Just Released a Desktop App And It Changes Everything About Using AI Agents Durable identity is converging. The handle isn't. What the Label Certifies
── more in #developer-tools 4 stories · sorted by recency
── more on @katrina laszlo 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/a-small-open-source-…] indexed:0 read:2min 2026-06-18 ·