Skip to main content
API keys authenticate your applications to the gateway. They’re issued from the dashboard’s Configuration → API keys page (/dashboard/configuration/api-keys) and pushed to every attached gateway, so the same key works on any gateway the owning organization has online.

Open API keys

The list view shows, per key:
ColumnNotes
NameYour label — whatever you name the key at creation.
OwnerOrganization member the key belongs to.
KeyMasked preview with a copy-to-clipboard button.
Statusactive, inactive, expired, or revoked.
ExpiresExpiration date if set.
Last usedMost recent request timestamp.
CreatedWhen the key was created.
RequestsTotal requests served.
UsagePercentage of total traffic across all your keys.
Filters:
  • Search — by name or key preview.
  • Status dropdown — All, Active, Inactive, Expired, Revoked.
  • Sortable columns — Name, Owner, Status, Requests.
API keys list

Create a key

Click Create Key. The form has two tabs.

Basic

FieldRequiredNotes
Key NameYesWhat you’ll see in logs (e.g. Production API).
ExpirationNoNever, 30d, 60d, 90d, 180d, 1y.
Requests/minNoPer-key rate limit.
Tokens/minNoPer-key token rate limit.
Budget ($)NoHard USD cap; requests are blocked when exceeded.
Budget Alert Thresholds (%)Shown if budget setComma-separated percentages (e.g. 50,80,100). Triggers notifications.
Ephemeral TokenNoIssues a short-lived delegated token instead of a standard key.
Expires In (seconds)Shown if ephemeralTTL for the ephemeral token. Default 3600.
Allowed ProvidersNoPer-provider toggles. All on = no restriction.

Advanced

  • Allowed Models — comma-separated allow-list (gpt-4o, claude-3.5-sonnet). Empty = all enabled models.
  • IP Allowlist — CIDRs or IPs (192.168.1.0/24, 10.0.0.1). Empty = any IP.
  • Metadata (JSON) — arbitrary tags echoed back in logs (e.g. {"team": "backend", "env": "production"}).

MCP

  • MCP Enabled — toggle. Off means this key cannot use any MCP server or tool.
  • MCP Access ModeAllow All, Deny All, Allow List, Deny List.
  • Allowed / Denied MCP Servers — comma-separated server names, shown when the matching mode is picked.
  • MCP Tools — per-server tool picker with checkboxes; searchable.
Create API key form

The one-shot reveal

After you click Create Key, the secret is shown once in a green success box:
  • Message: “API Key created! Copy it now”.
  • Full key in a monospace, select-all code block.
  • Copy button (flashes to Copied! for 2 seconds).
  • Warning: “This key will not be shown again. Make sure to save it securely.”
  • Done button to dismiss.
If you lose the secret, rotate the key to get a new one — there is no retrieval flow. Put it in your secrets manager the first time.

Row actions

From the list: the trash icon on each row deletes the key with a confirmation (“Delete API Key: Are you sure you want to delete ‘{name}’? This action cannot be undone.”). Clicking a row opens a detail dialog with more actions:
ActionWhat it does
EditChange name, rate limit, or MCP servers.
Rotate KeyOld secret stops working immediately; new secret shown once, same copy flow as creation.
Ephemeral TokenGenerate a short-lived (default 1h) delegated token from this key.
DeactivateShown when status is active. Key stops authenticating until reactivated.
ActivateShown when status is inactive or revoked.
DeletePermanent. Same confirmation as the row action.

Use a key

curl https://<your-gateway>/v1/chat/completions \
  -H "Authorization: Bearer <your-key>" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"hi"}]}'
The gateway validates the key, enforces scopes (allowed providers, allowed models, IP allowlist, quotas, budget), and routes the request.

Notes

  • Keys are organization-scoped, not single-gateway. A key works against any gateway the owning org has online. Per-gateway scoping is tracked as a future feature.
  • Admins can use Create Key for User to mint a key on behalf of another organization member; the key is then owned by that user.
  • Every creation, rotation, activation, and deletion is audit-logged on each gateway the key touches (local-only, see Logs & traces).