Skip to main content

Mint phantom token

This is a control-plane endpoint on the admin host (e.g. admin.knoxcall.com). It is authenticated with a session JWT plus the X-Tenant-ID header and requires an owner or admin role — not an API key. It does not use the api.knoxcall.com API-key auth described in the shared Authentication section.
Request body
Both fields are optional. name defaults to key-<timestamp> if omitted, and dpop_required defaults to false. The token kind is always agent, and its scope (providers and models) is derived automatically from the agent’s configured default_model — it is not accepted from the request body. Response
key.id is the phantom token’s UUID. key.prefix is the first 12 characters of the generated token (kc_live_a_ followed by two of its random hex characters).
The raw key.token value is returned exactly once — at minting time. KnoxCall stores only a sha256 hash. Save it to your secrets manager immediately.