Skip to main content

Auth, Billing, and First Utility

API keys are the primary authentication method for all plans. Create an org, mint an org-scoped key, make a real request, then attach billing only after a successful test request. Enterprise SSO is available through the enterprise rollout path; contact sales to discuss requirements.

Auth model

API keys (primary)

All REST, SDK, and CLI clients use org-scoped x-api-key credentials. This is the primary authentication method for every plan.

Hosted MCP

MCP clients use WorkOS OAuth discovery through api.secapi.ai.

Enterprise SSO

Enterprise SSO is available through the enterprise rollout path. Contact sales to discuss requirements.

Agent-native entry path

  • start at the public /agents overview when the caller is an external coding agent or administrator
  • mint a short-lived sponsor token with POST /v1/agent/bootstrap_tokens from a human-authenticated org session
  • exchange that sponsor token at POST /v1/agent/bootstrap
  • preserve the returned API key secret once, then treat it as the machine credential for REST, SDK, CLI, or hosted MCP

Default onboarding motion

1

Create your org and API key

Start at the marketing-site Get Free API Key button or the /login route. Complete the sign-in flow to create your org and mint your first org-scoped API key in one step.
2

Check billing state

Use GET /v1/billing to see the current plan, billing state, available keys, and any account-specific evaluation credit.
3

Make one real request

Resolve an issuer, fetch a filing, or run one statement workflow before you think about plan changes.
4

Attach billing only when the work is real

Activate Pay As You Go or move directly to a commit plan when the workflow is ready for paid usage.

Billing states

  • sandbox_grant
  • payg_pending_card
  • payg_active
  • personal_active
  • team_active
  • commercial_active
  • payment_failed
  • restricted_read_only

Public plans

Pay As You Go

Default paid motion. No fixed monthly fee. Higher per-call pricing in exchange for the lowest signup friction.

Personal

Monthly or annual commit plan for individual developers and analysts who want lower unit pricing.

Team

Shared-org plan with higher throughput, more keys, and better economics for small teams.

Commercial

Annual contract plan for redistribution rights, commercial embedding, and deeper support.

Pricing

  • GET /v1/billing/rates is the source of truth for public plan and meter pricing
  • Pay As You Go is the default paid path
  • annual billing defaults on commit plans
  • Team and Commercial are for shared or externalized usage, not just more requests
  • redistribution, embedding, resale, and broader commercial rights begin at Commercial

WebSocket Rate Limits

Chat messages sent through the SEC API Agent WebSocket runtime are rate-limited per user. The default ceiling is 30 requests per minute unless your organization has a custom limit. Non-chat messages, such as permission responses and plan approvals, are exempt because they respond to server-initiated prompts. Rate-limited requests receive a clear error message with a retry-after interval. The WebSocket connection stays open, so interactive workflows can continue after the backoff window.

Billing entry points

  • GET /v1/billing
  • GET /v1/billing/rates
  • POST /v1/billing/quote
  • PUT /v1/billing/budget
  • POST /v1/billing/payg/activate
  • POST /v1/billing/checkout
  • POST /v1/billing/portal
  • POST /v1/agent/bootstrap_tokens
  • POST /v1/agent/bootstrap
  • GET /v1/limits

What to log

Preserve billing and plan headers in logs and traces so entitlement changes are visible before they affect production workflows.
  • Request-Id
  • traceparent
  • secapi-meter-class
  • secapi-plan-key
  • secapi-billing-status
  • secapi-billing-state
  • secapi-free-grant-remaining
  • secapi-token-count
  • secapi-estimated-cost
  • secapi-token-count-estimated (present only when the count fell back to a byte/4 approximation)

MCP OAuth discovery endpoints

These endpoints support hosted MCP. They are not part of the primary human-auth flow: API keys cover every REST, SDK, and CLI client.
  • protected resource metadata: https://api.secapi.ai/.well-known/oauth-protected-resource
  • authorization server metadata: https://api.secapi.ai/.well-known/oauth-authorization-server

Copy this SEC API prompt for your agent.

Plans and Pricing

Review PAYG, commit plans, and rights boundaries.

Agent Billing

Learn how agents should check billing before expensive loops.

Pay As You Go

See the PAYG activation flow and the billing state transition after the grant is exhausted.