agentcentral
Sign InStart trial
← Best Practices
Habit 1

Scope API Keys By Workflow

Give each agent or job the smallest useful Agent Central tool surface.

Why Workflow Scope Matters

A broad key gives the model a broad decision space. That can be useful for exploration, but it is usually not what you want for a daily operator workflow. A sales reviewer should not need write tools. An ads audit should not need catalog write access. An inventory operator should not need keyword bid tools.

The practical goal is not perfect security theory. The goal is a smaller, cleaner tool surface that makes Claude, ChatGPT, OpenClaw, or your custom agent more likely to choose the right tool on the first attempt.

Starter Scopes

WorkflowIncludeAvoid
Daily sales reviewerSales, orders, listings, and inventory read tools.Ads writes, catalog writes, fulfillment writes.
Ads analystAds read tools: campaign performance, search terms, keyword performance, product performance, SQP, and TACOS.Bid and budget writes unless the job is approved for changes.
Inventory operatorInventory health, FBA/AWD inventory, inbound shipments, sales velocity, and days-of-cover.Ads, ranking, and unrelated catalog write tools.
Ads writerOnly the exact bid, budget, bidding, state, or keyword write tools needed for a trusted workflow.Full Suite keys and unrelated write domains.

Key Design Checklist

  • Name the workflow before creating the key.
  • Start with read-only access unless the workflow must write.
  • Separate analysis keys from write-enabled keys.
  • Include only the domains and specific tools the job needs.
  • Document who or what uses the key and when it should be revoked.

Reusable Planning Prompt

I am creating an Agent Central API key for this workflow:

Workflow:
- Name:
- Person or agent using it:
- Business decision it supports:
- Data it needs:
- Actions it should be allowed to take:
- Actions it should never take:

Recommend the smallest useful Agent Central tool scope for this workflow. Separate read-only tools from any write tools, and call out anything that should require a separate key.

Continue Reading

Next: Share Tightly Scoped Keys, Not Broad Keys

Create separate keys for teammates, contractors, and write-enabled workflows.

Related Best Practices

Share scoped keys

Create separate keys for teammates, contractors, and write-enabled workflows.

Build a prompt library

Turn useful back-and-forth conversations into reusable one-shot prompts.

Ask for answer format

Tell the agent the exact table, sorting, caveats, and takeaways you need.

Dates, metrics, sources

Avoid ambiguous Amazon sales numbers by specifying dates, metrics, grouping, and freshness.

Scope API Keys By Workflow — agentcentral