Get an API Key
An API key is your only credential for calling the gateway. An organization can create multiple keys for different apps or environments.
Create
- Sign in to the console and open API Keys.
- Click Create API Key and give it a name (to tell uses apart).
- A plaintext key like
sk-xxxxxxxxis shown.
Plaintext shown only once
The full plaintext is shown only once, at creation. Copy it immediately into a password manager or your server's secret config. After you leave the page you cannot view it again — you can only rotate a new one.
Use
Put the key in the Authorization header:
Authorization: Bearer sk-your-key- Claude native endpoints also accept
x-api-key: sk-your-key. - Gemini native endpoints also accept the URL query parameter
?key=sk-your-key.
See Auth & Base URL.
Configurable options
| Option | Description |
|---|---|
| Model scope | Restrict which models this key can call. Empty means all models in the key's plan are allowed. |
| Monthly limit | The most this key can spend per month. On reaching it, calls return 402 api_key_quota_exceeded. Use it to cap a single app. |
| Plan | The plan the key is bound to (decides available models and price multiplier), assigned by the platform. See Models & plans. |
Org vs key limits
The monthly limit is per key. If you have several keys, per-key caps don't replace overall spend control — overall spend is bounded by wallet balance. When balance runs out, all keys return 402 billing_shortfall.
Rotate, disable, delete
- Rotate: generate a new plaintext; the old one is invalidated immediately. Use when you suspect a leak.
- Disable / enable: temporarily stop a key without deleting its usage history.
- Delete: permanent. Historical request logs are still searchable by request id.
All of these require confirmation and are written to the audit log.
Security tips
- Don't hardcode keys into front-end code or commit them to git.
- On the server, inject via environment variables or a secret manager.
- Give different apps different keys with their own monthly limits, so usage is easy to attribute and cap.
- Suspect a leak? Rotate immediately.