Skip to main content
An access key authenticates your application to https://gateway.ngrok.ai. Send it with every request—the gateway uses it to verify who is calling and whether the request is allowed through.

Access keys vs provider keys

The AI Gateway splits authentication into two credentials so your application never handles upstream secrets.
Access keyProvider key
What it isThe credential your app sends to the gatewayAn upstream API key for OpenAI, Anthropic, or another provider
Where it livesIn your applicationIn app.ngrok.ai, attached through an access key configuration
Who uses itYour code, as the SDK’s api_keyThe AI Gateway, injected server-side on each request
Because the two are separate, you can rotate or revoke an access key for one client without touching your provider keys, and your upstream secrets never ship in client code. With credits, built-in OpenAI and Anthropic work through ngrok.ai inference—no provider keys to store at all. See How It Works for the full request flow.

Use in your application

from openai import OpenAI

client = OpenAI(
    base_url="https://gateway.ngrok.ai/v1",
    api_key="ng-xxxxx-g1-xxxxx"  # Your access key
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Hello!"}]
)
See the Quickstart to create your first key.

Create and manage keys

Create a separate key per application or team so you can revoke one client without affecting others.

Via the ngrok dashboard

  1. Open app.ngrok.aiKeys.
  2. Click New access key.
  3. Enter a name and optionally assign a configuration.
  4. Copy the token immediately—it’s only shown once.

Via the AI Gateway API

  1. Create an AI Gateway API key.
  2. Send a request to the Access Keys API, authorized with that key:
curl -X POST https://api.ngrok.ai/access-keys \
  -H "Authorization: Bearer $AI_GATEWAY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Production web app" }'

Things to know

Your key token is only shown once

When you create a key, the token (starting with ng-) is displayed exactly once. If you lose it, delete the key and create a new one.

Requests require credits

Every request consumes credits for ngrok’s processing fee. When ngrok.ai inference handles built-in OpenAI or Anthropic, credits also cover model cost. When you bring your own key, upstream costs go to your provider account. When your balance reaches zero, new requests fail until you purchase more credits.

Invalid keys are rejected

Malformed or deleted access keys are rejected immediately with a 401 Unauthorized. See Error Codes to look up that and other gateway responses.

Credentials overview

CredentialWhat it’s for
ngrok.ai access keysAuthenticate AI requests to gateway.ngrok.ai (required)
ngrok.ai API keysAutomate AI Gateway resources via api.ngrok.ai
ngrok API keysManage ngrok platform resources via the ngrok API
Your provider keysUpstream credentials. See Bring your own provider key

Next steps

Access Key Configurations

Scope providers and route traffic per key

Bring your own provider key

Store upstream credentials

Securing Your Gateway

Per-client keys and revocation

Credits

How usage is billed