> ## Documentation Index
> Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint Phantom Token

> Mint a short-lived DPoP-bound capability token for an AI agent.

### Mint phantom token

```http theme={"dark"}
POST /admin/ai-gateway/{gatewayId}/agents/{agentId}/keys
```

<Note>
  This is a control-plane endpoint on the admin host (e.g. `admin.knoxcall.com`). It is authenticated with a session JWT plus the `X-Tenant-ID` header and requires an owner or admin role — not an API key. It does not use the `api.knoxcall.com` API-key auth described in the shared Authentication section.
</Note>

**Request body**

```json theme={"dark"}
{
  "name": "CI pipeline token",
  "dpop_required": false
}
```

Both fields are optional. `name` defaults to `key-<timestamp>` if omitted, and `dpop_required` defaults to `false`. The token kind is always `agent`, and its scope (providers and models) is derived automatically from the agent's configured `default_model` — it is not accepted from the request body.

**Response**

```json theme={"dark"}
{
  "key": {
    "id": "7f3c1e8a-2b4d-4f6a-9c1e-0a2b4d6f8c1e",
    "name": "CI pipeline token",
    "prefix": "kc_live_a_xx",
    "token": "kc_live_a_...",
    "dpop_required": false
  },
  "message": "Save this token now. It will not be shown again."
}
```

`key.id` is the phantom token's UUID. `key.prefix` is the first 12 characters of the generated token (`kc_live_a_` followed by two of its random hex characters).

<Warning>
  The raw `key.token` value is returned exactly once — at minting time. KnoxCall stores only a sha256 hash. Save it to your secrets manager immediately.
</Warning>
