API Keys

Key model#

• API keys are scoped to a team, not to a single user.
• A key authenticates requests to the data plane at api.opengateway.ai.
• Keys have a prefix. og_live_ is used for production.
• Every request is tagged with the key that made it, and that tag is visible in the Logs viewer.

Create a key#

1. Open opengateway.ai/settings/api-keys.
2. Click Create Key.
3. Give it a descriptive name, for example prod-worker or local-dev-kim.
4. Copy the key. It is only displayed once. Paste it into your environment variables.

export OPENGATEWAY_API_KEY="og_live_..."

Use a key#

Send the key as a standard Bearer token:

curl https://api.opengateway.ai/v1/chat/completions \
  -H "Authorization: Bearer $OPENGATEWAY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '...'

Rotate a key#

When someone leaves the team or a key is accidentally committed to a public repository, rotate it like this:

1. Create a new key.
2. Deploy the new key to every service that uses it.
3. Wait for traffic on the old key to drop to zero. The Logs dashboard shows live usage.
4. Revoke the old key.

Avoid deleting a key that still receives traffic. Rotate first, revoke second.

Revoke a key#

Go to Settings, then API Keys. Click the key and choose Revoke. Revocation takes effect within seconds, and any request using the key will return 401.

Revocation is irreversible. If you change your mind, create a new key.

Best practices#

• Use one key per environment so that production, staging, and local development are separated.
• Use one key per service when feasible. It makes rotation easier and keeps your audit trail clean.
• Never commit keys. If you do, revoke immediately and rotate. Deleting the commit does not undo the exposure.
• Do not share keys in Slack, email, or issue comments. Use your team's secret manager.
• Give each key a name that reflects its purpose. prod-chat-worker is better than my-key-3.

For how keys interact with access control, see Teams.