Skip to main content
API keys in Traffic Policy config is deprecated for standard providers. The supported path going forward is to attach keys directly to your AI Gateway API Key. This removes key management from your Traffic Policy entirely—no more secrets references, no redeployment needed when rotating keys.

Before you start

This migration applies to you if your Traffic Policy has api_keys under one or more providers: 
on_http_request:
  - name: DefaultAIGateway
    actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys: # ← migrating this
                - value: ${secrets.get('openai', 'primary-key')}
                - value: ${secrets.get('openai', 'backup-key')}
One case still requires Traffic Policy keys and cannot be migrated: Custom or self-hosted providers (that is, providers with a base_url) must stay in Traffic Policy.

Migration steps

1

Create an AI Gateway Managed Key

First, create an AI Gateway Managed Key that will be added to your SDK or cURL requests.
ngrok api ai-gateway-api-keys create \
  --endpoint-id ep_xxxx
Make sure to save the ng-xxxxx-g1-xxxxx token since this will be the only time you’ll see the unredacted key.
2

Attach your keys to your AI Gateway API Key

For each provider and key in your Traffic Policy, attach the key to your AI Gateway API Key.
# Attach OpenAI backup key first (tried last)
ngrok api ai-gateway-provider-keys create \
  --ai-gateway-api-key-id aigk_xxxxx \
  --provider-id openai \
  --description "OpenAI Backup" \
  --value sk-proj-backup...

# Attach OpenAI primary key last (tried first)
ngrok api ai-gateway-provider-keys create \
  --ai-gateway-api-key-id aigk_xxxxx \
  --provider-id openai \
  --description "OpenAI Primary" \
  --value sk-proj-primary...
The most recently attached key is tried first. Attach the key you want tried first last.
3

Verify the attached keys work

Before removing keys from Traffic Policy, confirm your attached keys are routing correctly. Make a test request using your AI Gateway API Key and check the response:
from openai import OpenAI

client = OpenAI(
    base_url="https://your-ai-gateway.ngrok.app/v1",
    api_key="ng-xxxxx-g1-xxxxx"
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "ping"}]
)
print(response.choices[0].message.content)
Check your AI gateway’s usage page to confirm the request used your attached key. If the attached key works, you’re safe to remove the BYOK config in the next step.
4

Remove api_keys from your Traffic Policy

Remove the api_keys fields from your provider configurations. If a provider has no other configuration (models, base_url, metadata), you can remove it entirely.Before:
on_http_request:
  actions:
    - type: ai-gateway
      config:
        providers:
          - id: openai
            api_keys:
              - value: ${secrets.get('openai', 'primary-key')}
              - value: ${secrets.get('openai', 'backup-key')}
          - id: google
            api_keys:
              - value: ${secrets.get('google', 'key')}
After:
on_http_request:
  actions:
    - type: ai-gateway
Deploy the updated Traffic Policy.
5

Confirm requests still work

Make another test request and verify it succeeds. The gateway now routes using your attached provider keys.If requests fail, check error codes and verify your keys were attached correctly:
ngrok api ai-gateway-provider-keys list --ai-gateway-api-key-id aigk_xxxxx

What doesn’t change

  • Your application code: same AI Gateway API Key, same gateway URL, no client changes needed
  • Failover behavior: attached keys are tried in reverse order of attachment (most recently attached first)
  • Gateway auth: the gateway still validates requests with your AI Gateway API Key before routing
  • Observability: you can inspect which key was used on your AI Gateway’s usage page

What changes

Traffic Policy BYOKAttached provider keys
Key rotationUpdate secret or Traffic Policy, redeployAdd new key, remove old key via API—no redeploy
CEL selectionSupportedNot supported (simple failover only)
Custom providers (base_url)SupportedNot supported—keep in Traffic Policy
Secrets vault neededYesNo
Key visible in configAs secret referenceNever visible

Next steps