API Keys
API keys are the primary authentication mechanism for clients calling the gateway’s AI endpoints. Each key can be scoped to specific capabilities, given a rate limit, and set to expire automatically.
API Key List
The API Keys page displays a searchable, paginated table with the following columns:
| Column | Description |
|---|---|
| Name | A human-readable label for the key |
| Prefix | The first 16 characters of the key (aigw_sk_ + 8 hex) for identification |
| Scopes | Which API capabilities this key can access |
| Status | active, revoked, or expired |
| Created | When the key was generated |
| Last Used | Timestamp of the most recent request using this key, or “Never” |
Creating an API Key
Click Create API Key to open the creation form:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive label (e.g. “Production API Key”, “CI/CD Pipeline”) |
| Organization / Department | No | Optionally bind the key to an organization and/or department for scoped usage and budgeting. |
| Expires In | No | When the key should automatically expire. |
| Rate Limit | No | Maximum requests per minute; 0 or blank means unlimited. |
| Capabilities | No | Which capabilities this key can access. Defaults to chat if none are selected. |
| Restrict to Providers | No | Limit the key to specific provider configs. Empty means all providers. |
| Restrict to Models | No | Limit the key to specific models. Empty means all models. |
Expiration Options
| Option | Duration |
|---|---|
| Never | Key does not expire |
| 30 days | Expires after 30 days |
| 90 days | Expires after 90 days |
| 180 days | Expires after 180 days |
| 1 year | Expires after 365 days |
Available Capabilities
Capabilities (shown as “Scopes” in the list) restrict which gateway endpoints the key can call:
| Capability | Endpoints |
|---|---|
chat | /v1/chat/completions, /v1/messages |
completions | /v1/completions |
embeddings | /v1/embeddings |
audio | /v1/audio/transcriptions, /v1/audio/translations |
tts | /v1/audio/speech |
images | /v1/images/generations |
rerank | /v1/rerank |
video-generation | /v1/video/generations |
files | /v1/files |
batch | /v1/batches |
vector-stores | /v1/vector_stores |
responses | /v1/responses |
realtime | /v1/realtime/sessions + the realtime WebSocket |
usage:read | /v1/usage |
budget:read | /v1/budget |
A key only has access to the capabilities it is granted — there is no “all access” wildcard. If you create a key without selecting any capability, it defaults to chat. GET /v1/models requires only authentication (no specific capability). Admin endpoints (/api/admin/*) are not reachable with API keys; they require a JWT session.
Copying the Key
After creation, the full API key is displayed exactly once in a modal dialog. You must copy it immediately — the gateway stores only a hashed version and cannot retrieve the plaintext key later.
The modal includes a Copy button that uses the clipboard API. A confirmation indicator appears when the key has been copied successfully.
Revoking a Key
Click Revoke on any active key to permanently disable it. A confirmation dialog warns that applications using this key will immediately lose access. Revocation is irreversible — you cannot re-enable a revoked key.
Revoked keys remain visible in the list with a revoked status tag for audit purposes.
Key Statuses
| Status | Meaning |
|---|---|
active | Key is valid and accepting requests |
revoked | Key has been manually revoked; requests are rejected |
expired | Key has passed its expiration date; requests are rejected |
Best Practices
- Use descriptive names that identify the application or environment (e.g. “staging-backend”, “analytics-service”).
- Set expiration dates for keys used in non-production environments.
- Apply the principle of least privilege by scoping keys to only the capabilities they need.
- Rotate keys periodically by creating a new key, updating your application, and revoking the old one.
- Monitor the Last Used column to identify unused keys that can be safely revoked.