https://gateway.ngrok.ai must include an access key. Upstream provider credentials are managed in app.ngrok.ai and injected server-side based on the access key’s configuration—see Access keys vs provider keys.
Access key configurations control:
- Access scope: which providers and models the key may call
- Routing rules: whether to use ngrok.ai inference or your stored provider keys for each provider
How it fits together
- Your app sends an access key with each request.
- The gateway loads the configuration linked to that key (or default rules if none is linked).
- The AI Gateway selects upstream credentials from the configuration’s routing rules.
Default behavior
An access key with no configuration (allow-all scope) can reach any provider and model your account supports. For built-in OpenAI and Anthropic, ngrok.ai inference is used automatically when you have credits. To use your own provider accounts, restrict scope, or control failover, create a configuration and assign it to the key.Create a configuration
Via the ngrok dashboard
- Open app.ngrok.ai → Keys → Configurations.
- Click New configuration.
- Set a name and optional description.
- Under Access, allow only the providers and models this key should use.
- Under Routing, add a rule per provider:
- ngrok: ngrok.ai inference supplies the credentials (built-in OpenAI and Anthropic only)
- Bring your own API key: attach one or more stored provider keys (tried in order)
- Save the configuration.
- On Keys, edit an access key and assign the configuration.
Via the AI Gateway API
Create configurations with the Access Key Configurations API. Authorize the request with your AI Gateway API key.Routing rules
Each routing rule targets a provider or model and defines an ordered list of steps:| Step type | Meaning |
|---|---|
ngrok | Use ngrok.ai inference (built-in OpenAI and Anthropic only) |
user | Use attached provider keys, tried in list order |
user step with at least one provider key when the upstream requires authentication.
Multi-key failover
Attach multiple provider keys to the same routing rule step. The gateway tries them in order when a key hits a rate limit or auth error. See Multi-key failover.Restrict providers and models
Use the access block to limit what an access key can call:access entirely for allow-all scope. An empty allow array blocks all traffic on that dimension.
Next steps
- Access Keys: Create keys and assign configurations
- Bring your own provider key: Store upstream credentials
- Restrict providers and models: Limit what a key can call
- Choose a model: Choose models in requests
- Securing Your Gateway: Per-client keys and revocation