Keeping your environment safe

Kognita provisions a dedicated agent environment per project. Here is how it is secured on our side, and what you should set up on the Anthropic side to stay in control of usage and spend.

How Kognita protects your environment

When you add an Anthropic API key to a project, Kognita takes several steps to keep it safe:

Your key is encrypted before it is saved. The plaintext value is never written to disk or logged.
After saving, the dashboard only shows a masked version of the key. No one — not you, not our support team — can retrieve the original value through the UI.
Keys are scoped to the project they were added to. A key saved to one project cannot be read or used by any other project in your organisation.
Only project admins can add, replace, or remove provider keys. Team members without admin access cannot touch them.
Each project runs in its own provisioned runtime. Repositories, configuration, and credentials are isolated per project.

To rotate a key

Create a new API key in the Anthropic Console, then open your project's API Keys page, paste the new key, and click Replace. The old key is overwritten immediately.

Your Anthropic API key — what you control

The API key you provide stays under your Anthropic account. Kognita uses it on your behalf to run the project environment, but the billing, the rate limits, and the controls all live in the Anthropic Console. That means you retain full visibility and authority over what the key can spend.

We strongly recommend doing two things in the Anthropic Console before adding the key to Kognita:

Create a dedicated key for Kognita — label it clearly so you can identify it later.
Set a monthly spend limit on that key so you have a hard ceiling on what this project can cost.

Setting spend limits and alerts

The Anthropic Console lets you cap usage at the key level. From console.anthropic.com/settings/limits you can:

Set a hard monthly spend limit — once reached, the key stops working until the next billing period.
View a usage dashboard broken down by model and time period to see exactly what your project is consuming.
Monitor token counts and request volume per key to catch any unexpected spikes early.

“Set spend limits on every production key — if a key leaks, spend limits cap your financial exposure while you respond.” Anthropic API key best practices guide

Tip

A spend limit does more than control cost — it also limits blast radius if the key is accidentally exposed. Even a modest cap (say, $20/month for a development project) means a leaked key cannot rack up hundreds of dollars before you notice.

Anthropic's own security protections

Anthropic runs additional protections on the platform side that apply to every key automatically:

GitHub secret scanning partnership — if an Anthropic API key is ever accidentally committed to a public GitHub repository, GitHub notifies Anthropic and the key is automatically deactivated.
Keys are shown exactly once at creation. Anthropic does not store the plaintext value and cannot retrieve it for you.
Admin API access (for organisations needing programmatic key management) requires a separate admin-scoped key and is restricted to organisation admins only.

“Anthropic has partnered with GitHub to provide protection through GitHub's Secret scanning partner program — GitHub actively scans public repositories for exposed Claude API keys and if detected, GitHub immediately notifies Anthropic, which automatically deactivates the exposed API key.”

Relevant Anthropic resources:

Quick checklist

Create a dedicated Anthropic key for this Kognita project

Label it clearly in the Anthropic Console (e.g. "Kognita – [project name]")

Set a monthly spend limit before adding the key to Kognita

Save the key in Kognita — it is encrypted immediately and never shown again

Review usage in the Anthropic Console periodically

Rotate the key every 60–90 days by creating a new one and using Replace in Kognita

← Anthropic provider Jira integration →