For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
DashboardSign Up
  • Getting Started
    • Welcome
    • Quick Start
    • Authentication
  • Native Mode
    • Overview
    • OpenAI
    • Anthropic
    • Gemini
  • Unified Mode
    • Overview
    • Python
    • TypeScript
    • cURL
  • Platform
    • Key Management
    • Rate Limits & Budgets
    • Usage & Billing
    • Error Reference
  • API Reference
DashboardSign Up
On this page
  • Creating a key
  • Editing a key
  • Revoking a key
  • Key lifecycle states
  • Best practices
  • Management API
Platform

Key Management

Create, configure, and manage proxy keys
Was this page helpful?
Edit this page
Previous

Rate Limits & Budgets

Control request rates and spending
Next
Built with

Proxy keys control how your team accesses LLM providers through Gateway AI. Each key can be scoped with provider restrictions, model allowlists, IP rules, rate limits, and spend caps.

Creating a key

In your dashboard, go to API Keys and click Create Key.

Required:

  • Name — a label for this key (e.g., backend-prod, data-team, staging)

Optional:

  • Allowed providers — restrict to specific providers (OpenAI, Anthropic, Gemini). Leave empty for all.
  • Allowed models — restrict to specific models. Supports glob patterns (e.g., gpt-4o* matches gpt-4o and gpt-4o-mini). Leave empty for all.
  • Allowed IPs — restrict to specific IP addresses or CIDR ranges. Leave empty for any IP.
  • Rate limit — maximum requests per minute for this key.
  • Spend limit — maximum dollar spend for this key, with an optional reset period (daily, weekly, monthly).
  • Expires at — automatic expiry date.

After creation, the raw key is shown once. Copy it immediately — it cannot be retrieved again. Only the key prefix (sk-proxy-a1b2...) is stored for identification.

Editing a key

Click the edit button on any key to modify its settings. You can change:

  • Name
  • Provider and model restrictions
  • IP allowlist
  • Rate limit
  • Spend limit and reset period

Changes take effect immediately for new requests.

Revoking a key

Click the revoke button to permanently disable a key. Revoked keys return 403 key_revoked on any request. This action cannot be undone.

Key lifecycle states

StatusMeaning
activeKey is usable
expiredPast its expiry date, automatically rejected
revokedManually disabled, permanently rejected

Best practices

  • One key per service or team — makes it easy to track usage and revoke access independently.
  • Set rate limits — protect against runaway scripts. Start with a reasonable RPM and increase as needed.
  • Use IP allowlists in production — restrict keys to your server IPs so stolen keys can’t be used elsewhere.
  • Set spend limits — prevent surprise bills from bugs or misuse. Use daily or weekly reset periods.
  • Rotate keys periodically — create a new key, update your service, then revoke the old one.

Management API

You can also manage keys programmatically using the management API:

  • POST /v1/keys — create a key
  • GET /v1/keys — list all keys in your org
  • PATCH /v1/keys/{id} — update a key
  • DELETE /v1/keys/{id} — revoke a key

See the API Reference for details.