Trust anchors
What is missing?
allowlist match
missing
org hints
partial context
API Keys detail story
The unknown key should read like a trust break: unclear ownership, shared reach, and immediate containment value.
A credential story page is useful when it explains why the key matters right now and what it could widen if it is real unknown activity.
This key reframes several stories
Why should this key be one of the first pages an operator opens?
Linked sessions
6
Past-week context around the key
Flagged sessions now
1
One lane is active enough to matter
Spend attached
NaN
Not trivial in the recent window
Allowlist status
NaN
That is the main story
c6 detail reference
sk-ant-...C001
Significance
Unknown API key
This key is not in the org allowlist and active use has already triggered an alert.
Key Prefix :
sk-ant-...C001
display-safe prefix only
Organization :
unknown
Rate Limit (req) :
500 / min
Rate Limit (tokens) :
50K / min
First Seen :
today
Last Seen :
22 min ago
Sessions Using This Key
c6 makes the current user, agent, and endpoint relationship explicit.
User | Agent | Endpoint | Cost | Status |
|---|---|---|---|---|
| unknown | Claude Code v1.2.0 | 10.0.1.44 | $0.61 | active |
| sandbox-evals | Claude Code v1.2.0 | 10.0.1.17 | $2.37 | flagged |
Key findings
What this representative item changes in the story
3 findings
Finding | Body | Operator note |
|---|---|---|
This is the cleanest trust break | Ownership is weak enough that several surrounding rows become harder to trust confidently. | That is the whole reason this key is high-signal. |
The key widens consequence above the session row | Because it is reused, the credential story travels across hosts, repos, and provider calls. | That is why the blast radius is high. |
Containment is unusually actionable | A credential lane is one of the few inventory stories where the immediate control is obvious. | That makes the page operationally valuable. |
Immediate actions
Point to action before deeper raw inspection
3 actions
Resolve ownership fast :
Match the key to an approved owner or treat the gap as a live containment problem.
Scope the recent sessions :
Use the attached session stories to understand what context the key actually unlocked.
Prepare a containment path :
Suspension or rotation should be ready if the ownership gap cannot be closed quickly.
Credential trust map
The unknown key should be shown as a trust break that widens several adjacent stories.
credential
Use the map to connect the key to sessions, hosts, files, and outbound traffic in one operator view.
Focus
sk-ant-...C001
Unknown owner with active usage and shared scope.
trust break
Attached work
Where is it used?
1 active session
flagged now
5 recent sessions
adjacent context
Company context
Why does it matter?
auth repo path
sensitive work
.env + config
credential-adjacent files
Boundary paths
What does it unlock?
api.anthropic.com
provider traffic
secondary host
supporting path
trust level
low
linked sessions
6
containment value
high
next drill
session + file story
Evidence bundles
Bundle the story instead of reconstructing it from rows
4 bundles
Bundle | Body | Why it matters |
|---|---|---|
Ownership bundle | Masked prefix visible, allowlist match missing, organization hints partial. | Correlation is possible even without full trust. |
Usage bundle | Active use in one high-signal session and several adjacent recent sessions. | The key is not dormant or merely historical. |
Context bundle | The attached work touches auth-related files and shared agent lanes. | That is why the key story matters beyond billing. |
Boundary bundle | Provider traffic and a supporting external path both sit on this credential lane. | The key is central to the outbound explanation. |