X-API-Key header. You manage keys from the admin dashboard and can revoke them at any time. For the key format, rate-limit behavior, and server-side error responses, see the Authentication page in the API reference.
Scopes
Each key has one of two scopes:
Use
read_only keys for AI agents unless the agent specifically needs to categorize transactions or create rules. This limits the blast radius if a key is ever exposed.
Generate a key from the dashboard
1
Open API Keys
In the admin dashboard, navigate to Settings → API Keys.
2
Create a new key
Click Create API Key. Enter a descriptive name — for example,
Claude Agent or Home Budget Script — then click Generate Key.3
Copy the key immediately
The full key is displayed once and never stored in plaintext. Copy it now and save it in a password manager or secrets vault.After you leave this page, only the key’s prefix (
bb_a1b2c3) is visible in the dashboard.API keys are managed exclusively from the admin dashboard.
Key format
Every API key starts with thebb_ prefix followed by a random string of characters, for example:
Use a key in requests
Pass the key in theX-API-Key header on every request:
Revoke a key
To revoke a key, go to Settings → API Keys in the dashboard, find the key by its name or prefix, and click Revoke. Revocation takes effect immediately — any in-flight request using that key returns a403 Forbidden error.
Best practices
- Use a separate key for each client or agent so you can revoke access for one without affecting others.
- Prefer
read_onlykeys for AI agents unless they need to write data. - Rotate keys periodically, especially after personnel changes or suspected exposure.
- Never commit a key to version control. If you accidentally push a key, revoke it immediately and generate a replacement.