Authentication
Authenticating requests to AI Gateway.
Overview
AI Gateway uses bearer token authentication with gateway API keys. Keys are prefixed with gw_sk_ to distinguish them from provider keys.
Gateway API Keys
Key Format
Gateway API keys follow this format:
gw_sk_[random-string]
Example: gw_sk_XwmWjL8x9aBcDeFgHiJkLmNo
Creating Keys
- Navigate to AI Gateway Settings
- Under "Gateway API Keys", click Create API Key
- Enter a name (e.g., "Production", "Development")
- Click Create
- Copy the key immediately (it won't be shown again)
Key Permissions
All gateway keys have full access to:
- Chat completions endpoint
- Models endpoint
- Your configured providers
Coming soon: Scoped keys with limited permissions.
Using Your API Key
Authorization Header
Include your key in the Authorization header:
curl -X POST https://api.transactional.dev/ai/v1/chat/completions \
-H "Authorization: Bearer gw_sk_your_key_here" \
-H "Content-Type: application/json" \
-d '{"model": "gpt-4o", "messages": [{"role": "user", "content": "Hello!"}]}'With OpenAI SDK
import OpenAI from 'openai';
const openai = new OpenAI({
baseURL: 'https://api.transactional.dev/ai/v1',
apiKey: 'gw_sk_your_key_here', // Gateway key, not OpenAI key
});With Python
from openai import OpenAI
client = OpenAI(
base_url="https://api.transactional.dev/ai/v1",
api_key="gw_sk_your_key_here"
)Environment Variables
Store keys securely in environment variables:
# .env
GATEWAY_API_KEY=gw_sk_your_key_hereconst openai = new OpenAI({
baseURL: 'https://api.transactional.dev/ai/v1',
apiKey: process.env.GATEWAY_API_KEY,
});Framework Examples
Next.js:
# .env.local
GATEWAY_API_KEY=gw_sk_your_key_hereVercel:
vercel env add GATEWAY_API_KEYDocker:
services:
app:
environment:
- GATEWAY_API_KEY=${GATEWAY_API_KEY}Key Management
Viewing Keys
- Go to AI Gateway > Settings
- Under "Gateway API Keys", see all your keys
- View name, creation date, and last used time
Revoking Keys
- Find the key in the list
- Click the ... menu
- Select Revoke
- Confirm revocation
Warning: Revoking a key immediately invalidates it. Any applications using that key will fail.
Key Rotation
Best practice is to rotate keys periodically:
- Create a new key
- Update your applications to use the new key
- Monitor for any remaining usage of the old key
- Revoke the old key
Security Best Practices
Do
- Store keys in environment variables
- Use different keys for development and production
- Rotate keys regularly (every 90 days recommended)
- Monitor key usage in the dashboard
- Revoke unused keys
Don't
- Commit keys to version control
- Share keys between applications
- Expose keys in client-side code
- Log keys in application logs
Compromised Keys
If a key is exposed:
- Immediately revoke the key in the dashboard
- Create a new key
- Update all applications using the old key
- Review access logs for unauthorized usage
Error Responses
401 Unauthorized
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key"
}
}Causes:
- Missing
Authorizationheader - Invalid key format
- Key doesn't exist
- Key has been revoked
403 Forbidden
{
"error": {
"code": "forbidden",
"message": "API key does not have access to this resource"
}
}Causes:
- Key doesn't have permission for this endpoint
- Organization doesn't have access to this feature
Rate Limits
Each API key has its own rate limits:
| Plan | Requests/min | Requests/day |
|---|---|---|
| Free | 20 | 1,000 |
| Pro | 200 | 50,000 |
| Team | 1,000 | 250,000 |
Set custom per-key limits in the dashboard.
Next Steps
On This Page
- Overview
- Gateway API Keys
- Key Format
- Creating Keys
- Key Permissions
- Using Your API Key
- Authorization Header
- With OpenAI SDK
- With Python
- Environment Variables
- Framework Examples
- Key Management
- Viewing Keys
- Revoking Keys
- Key Rotation
- Security Best Practices
- Do
- Don't
- Compromised Keys
- Error Responses
- 401 Unauthorized
- 403 Forbidden
- Rate Limits
- Next Steps