• Pricing
  • Story
  • Sign in
Get started
Docs/Credential guide

Credential guide

Choose between Dino spending keys, team API keys, and OAuth / MCP for cash and crypto integrations.

Dino has three public credential patterns. Pick the smallest one that can do the job, and keep secrets out of model prompts, browser bundles, and logs.

#Quick choice

CredentialPrefix / shapeBest forCashCrypto
Dino spending keydin_test_... or din_live_...An agent or backend that creates governed spend, checkout, or payout requests for one policy profileCreate spend requests, checkout intents, read balance / statusCreate and read payout intents; cannot approve
Team API keydba_... (legacy mid_...)Developer consoles, server-to-server admin jobs, and team-scoped operationsTeam reads / writes where scopes allowBalance reads, approvals, declines, recipient management
OAuth / MCPUser grants or host-managed authUser-facing apps and assistants where the operator should sign in instead of copying secretsDelegated tools and account access depending on scopesDelegated crypto tools only when the host exposes the needed scopes

#Dino spending keys (din_)

Use a spending key when a trusted backend or tool runner needs to create economic actions under a specific policy profile.

  • din_test_ keys are for sandbox cash flows and test money.
  • din_live_ keys are for production.
  • Spending keys are shown once. Store them in a secret manager or server environment variable.
  • A spending key is not a card number and not an all-team admin key.
  • Spending keys cannot approve crypto payouts.

Typical cash calls:

  • GET /v1/balance
  • POST /v1/spend-requests
  • GET /v1/spend-requests/:id
  • POST /v1/checkout/intents

Typical crypto calls:

  • GET /v1/crypto/capabilities
  • POST /v1/crypto/payout-intents
  • GET /v1/crypto/payout-intents/:id
  • GET /v1/crypto/payout-intents

#Team API keys (dba_)

Use a team API key for team-scoped developer workflows and privileged server-to-server operations. Team keys use explicit scopes such as spend.read and spend.write.

Team API keys are the right fit when you need to:

  • approve or decline crypto payout intents from a backend service
  • read workspace-scoped crypto balance
  • manage saved crypto recipients
  • build internal operator tooling
  • reconcile team-wide data

Do not hand team keys to agents unless the agent runtime is a trusted backend with a narrow tool surface in front of it.

#OAuth and MCP

Use OAuth or MCP when a user should connect Dino through a browser sign-in instead of copying a raw key. This is usually the best operator experience for user-facing apps and assistant hosts.

OAuth / MCP access is scope-driven. Request only the scopes your integration needs and show the user what the assistant can do. For Solana USDC payment requests, verify the host exposes the crypto payout tools and scopes you need before designing the workflow around them.

#Safe tool boundary

The default architecture is:

  1. The model plans.
  2. Your backend validates the request.
  3. Your backend injects Authorization: Bearer ... and Idempotency-Key.
  4. Dino returns a policy decision or pending approval state.
  5. Your backend returns only safe fields to the model.

Never paste din_ or dba_ secrets into prompts, custom instructions, browser JavaScript, or shared transcripts.

#Related docs

  • Sandbox
  • Connecting AI Agents
  • OAuth Scopes
  • Agent Spend Errors
SandboxCrypto devnet guide