Latch / Docs
get started

Latches

The scoped token you hand out. It is not the credential.

A Latch is a scoped access token (lat_…) derived from a Secret. It carries its own upstream, its own policy pipeline, and its own lifetime.

You give the latch to the agent, the contractor, the script. You never give them the key. Delete the latch and they are cut off, without rotating anything.

Creating one

Latches → New latch walks you through it, and ends on Review & activate.

Field What it does
Name Must be unique.
Secret Which credential this latch injects.
Upstream Where requests are forwarded, e.g. https://api.openai.com.
Pipeline The filters evaluated on every request.
Expiry Optional. After this, the token stops working.
Venue Where the policy is evaluated. Standard proxy is the default.

You get the lat_… token once, at creation. Copy it then. Latch stores it encrypted and will not show it again.

Three ways to write the policy

  • Generate. Describe the policy in plain English and let Latch draft the pipeline. Read what it produces before you activate it.
  • Templates. Start from a common shape (read-only, rate-limited writer, PII-safe reader, spend-capped AI agent).
  • Manual. Add filters one at a time. See the filter reference.

Living with a latch

The Latches page groups them: My latches, Examples, All, Enabled, and Delegated (latches extended from a parent).

From a latch's detail page you can:

  • Simulate it: dry-run a request through the pipeline without calling upstream. See Simulate.
  • Clone it: a copy with the same policy, and its own token.
  • Extend it: a child that inherits this policy and can only narrow it. See Extending a latch.
  • Disable it: stop it working without deleting it.
  • Toggle request and response body logging, so Activity records the payloads as well as the decision.

What you cannot change after creation

A single-upstream latch's upstream and secret are fixed once created. The pipeline and the metadata can change; the binding cannot. If you need a different upstream or a different credential, make a new latch.

(Mounts are the exception: on a multi-mount latch, each mount's upstream and secret can be edited.)

Calling it

Point your client at Latch, use the latch token instead of the key, and change nothing else:

curl https://onlatch.com/proxy/v1/chat/completions \
  -H "Authorization: Bearer lat_9f3c…" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"hi"}]}'

The path after /proxy/ passes straight through to the upstream. See the Proxy API.

Next