Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.secapi.ai/llms.txt

Use this file to discover all available pages before exploring further.

Auth, Billing, and First Utility

API keys are the primary authentication method for all plans. Create an org, mint an org-scoped key, make a real request, then attach billing only when the workflow proves itself. OAuth/SSO via WorkOS is planned for the enterprise tier in 2026 Q3+.

Auth model

API keys (primary)

All REST, SDK, and CLI clients use org-scoped x-api-key credentials. This is the primary authentication method for every plan.

Hosted MCP

MCP clients use WorkOS OAuth discovery through api.secapi.ai. This is the only surface where WorkOS is customer-visible today.

Enterprise SSO

OAuth/SSO via WorkOS is planned for the enterprise tier in 2026 Q3+. Contact sales for roadmap details.

Agent-native entry path

  • start at the public /agents overview when the caller is an external coding agent or operator
  • mint a short-lived sponsor token with POST /v1/agent/bootstrap_tokens from a human-authenticated org session
  • exchange that sponsor token at POST /v1/agent/bootstrap
  • preserve the returned API key secret once, then treat it as the machine credential for REST, SDK, CLI, or hosted MCP

Default onboarding motion

1

Create your org and API key

Start at the marketing-site Get Free API Key button or the /login route. Complete the sign-in flow to create your org and mint your first org-scoped API key in one step.
2

Receive the starter grant

Every new org starts with 250 included calls and one API key.
3

Make one real request

Resolve an issuer, fetch a filing, or run one statement workflow before you think about plan changes.
4

Attach billing only when the work is real

After the starter grant is exhausted, activate Pay As You Go or move directly to a commit plan.

Billing states

  • sandbox_grant
  • payg_pending_card
  • payg_active
  • personal_active
  • team_active
  • commercial_active
  • payment_failed
  • restricted_read_only

Public plans

Pay As You Go

Default paid motion. No fixed monthly fee. Higher per-call pricing in exchange for the lowest signup friction.

Personal

Monthly or annual commit plan for individual developers and analysts who want lower unit pricing.

Team

Shared-org plan with higher throughput, more keys, and better economics for small teams.

Commercial

Annual contract plan for redistribution rights, commercial embedding, and deeper support.

Launch pricing posture

  • every new org gets 250 included calls
  • Pay As You Go is the default paid path
  • annual billing defaults on commit plans
  • Team and Commercial are for shared or externalized usage, not just more requests
  • redistribution, embedding, resale, and broader commercial rights begin at Commercial

WebSocket rate posture

Chat messages sent through the OMNI Agent WebSocket runtime are rate-limited per user at a configurable requests-per-minute ceiling (default: 30 RPM). Non-chat messages — permission responses, plan approvals, label and source operations — are exempt because they are responses to server-initiated prompts, not user-initiated load. Rate-limited requests receive a clear error message with a retry-after interval. The WebSocket connection stays open. This posture protects shared infrastructure without punishing interactive workflows.
  • RATE_LIMIT_CHAT_RPM: per-user ceiling (default 30)
  • RATE_LIMIT_ENABLED: feature flag (default true in production)

Billing entry points

  • GET /v1/billing
  • GET /v1/billing/rates
  • POST /v1/billing/quote
  • PUT /v1/billing/budget
  • POST /v1/billing/payg/activate
  • POST /v1/billing/checkout
  • POST /v1/billing/portal
  • POST /v1/agent/bootstrap_tokens
  • POST /v1/agent/bootstrap
  • GET /v1/limits
  • GET /v1/dashboard/overview

What to log

Do not treat billing and plan headers as decorative. Preserve them in logs, traces, and downstream artifacts so degraded entitlement posture is visible before it becomes a production incident.
  • Request-Id
  • traceparent
  • Omni-Meter-Class
  • Omni-Plan-Key
  • Omni-Billing-Status
  • Omni-Billing-State
  • Omni-Free-Grant-Remaining
  • Omni-Token-Count
  • Omni-Estimated-Cost
  • Omni-Token-Count-Estimated (present only when the count fell back to a byte/4 approximation)

MCP OAuth discovery endpoints

These endpoints back the hosted MCP surface. They are not part of the primary human-auth flow — API keys cover every REST, SDK, and CLI client.
  • protected resource metadata: https://api.secapi.ai/.well-known/oauth-protected-resource
  • authorization server metadata: https://api.secapi.ai/.well-known/oauth-authorization-server

Plans and Pricing

Review the starter grant, PAYG, commit plans, and rights boundaries.

Agent Billing

Learn how agents should reason about billing posture before expensive loops.

Pay As You Go

See the PAYG activation flow and the billing state transition after the grant is exhausted.