API Keys
API keys are the primary authentication mechanism for clients calling the gateway’s AI endpoints. Each key can be scoped to specific capabilities, given a rate limit, and set to expire automatically.
API Key List
The API Keys page displays a searchable, paginated table with the following columns:
| Column | Description |
|---|---|
| Name | A human-readable label for the key |
| Prefix | The first characters of the key (e.g. sk-abc...) for identification |
| Scopes | Which API capabilities this key can access; “All” if unrestricted |
| Status | active, revoked, or expired |
| Created | When the key was generated |
| Last Used | Timestamp of the most recent request using this key, or “Never” |
Creating an API Key
Click Create API Key to open the creation form:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive label (e.g. “Production API Key”, “CI/CD Pipeline”) |
| Expires In | No | When the key should automatically expire |
| Rate Limit | No | Maximum requests per minute; 0 or blank means unlimited |
| Scopes | No | Which capabilities this key can access; leave empty for full access |
Expiration Options
| Option | Duration |
|---|---|
| Never | Key does not expire |
| 30 days | Expires after 30 days |
| 90 days | Expires after 90 days |
| 180 days | Expires after 180 days |
| 1 year | Expires after 365 days |
Available Scopes
Scopes restrict which gateway endpoints the key can call:
| Scope | Endpoints |
|---|---|
chat | /v1/chat/completions, /v1/messages |
completions | /v1/completions |
embeddings | /v1/embeddings |
images | /v1/images/generations |
audio | /v1/audio/transcriptions, /v1/audio/translations, /v1/audio/speech |
models | /v1/models |
admin | /api/admin/* |
A key with no scopes selected has unrestricted access to all endpoints.
Copying the Key
After creation, the full API key is displayed exactly once in a modal dialog. You must copy it immediately — the gateway stores only a hashed version and cannot retrieve the plaintext key later.
The modal includes a Copy button that uses the clipboard API. A confirmation indicator appears when the key has been copied successfully.
Revoking a Key
Click Revoke on any active key to permanently disable it. A confirmation dialog warns that applications using this key will immediately lose access. Revocation is irreversible — you cannot re-enable a revoked key.
Revoked keys remain visible in the list with a revoked status tag for audit purposes.
Key Statuses
| Status | Meaning |
|---|---|
active | Key is valid and accepting requests |
revoked | Key has been manually revoked; requests are rejected |
expired | Key has passed its expiration date; requests are rejected |
Best Practices
- Use descriptive names that identify the application or environment (e.g. “staging-backend”, “analytics-service”).
- Set expiration dates for keys used in non-production environments.
- Apply the principle of least privilege by scoping keys to only the capabilities they need.
- Rotate keys periodically by creating a new key, updating your application, and revoking the old one.
- Monitor the Last Used column to identify unused keys that can be safely revoked.