A small open-source library for scoped, budgeted, time-bounded API keys Katrina Laszlo released agentkey, an open-source library that adds scoped, budgeted, and time-bounded API keys to existing Postgres databases. The library addresses the need for per-key spend limits, particularly for AI agents that can rapidly consume budgets through parallel requests. It provides atomic budget enforcement and Express middleware, and is available under an MIT license. When I led self-serve at a usage-based data company, one of the most common feature requests was credit limits per API Key. People wanted to hand a key to a script, a teammate, or now an AI agent, and know it couldn't run up the whole bill. We get the same request at my current startup, Tanso. Account-level and user-level limits exist โ€” That's what enterprise quota systems are for. But they're heavy. For a startup there wasn't a simple drop-in. So I wrote one. agentkey does four things: AI agents made this urgent. An agent spends on its own โ€” a loop or a bad prompt can burn a month's budget before anyone looks at a dashboard. And here's the part most tools miss: scoped keys tell you what an agent can do, not how much it can spend. LLM gateways cap spend. Identity platforms scope keys. Neither does both at the key level. agentkey does. It's not a new auth system. It adds a few columns to your existing Postgres keys table and gives you a small API. npm install @katrinalaszlo/agentkey Create a key that's scoped, budgeted, and expiring: js import { AgentKey } from '@katrinalaszlo/agentkey'; const ak = new AgentKey { pool } ; // your pg Pool const key = await ak.create { accountId: 'acct 123', scopes: 'proxy.chat' , budgetCents: 5000, // $50 cap budgetPeriod: 'month', expiresIn: '7d', delegatedBy: 'user 456', // the human who authorized this agent } ; Validate on each request, and track spend after a call: js const result = await ak.validate key.key ; // { valid: true, scopes: 'proxy.chat' , budgetRemainingCents: 5000, ... } await ak.trackUsage key.key, { costCents: 15 } ; // after an LLM call Budget enforcement is atomic, so concurrent agent calls can't race past the cap โ€” which matters, because agents fire requests in parallel. There's also Express middleware if you want it: app.post '/api/proxy', agentKeyMiddleware ak, { scope: 'proxy.chat' } , handler ; It's small and focused, extracted from a real production key system, MIT-licensed. It isn't trying to be Clerk or Auth0. If you already have a keys table and you want per-key spend caps without building a quota system, it's a few columns and a function call. npm: @katrinalaszlo/agentkey https://www.npmjs.com/package/@katrinalaszlo/agentkey ยท GitHub: katrinalaszlo/agentkey https://github.com/katrinalaszlo/agentkey