Skip to main content
AI Gateway API Keys provide built-in authorization for your gateway. Each key is validated by ngrok before any request reaches a provider—no additional Traffic Policy configuration needed.

How it works

  1. Create an AI Gateway API Key via the dashboard, CLI, or API
  2. Use the key as the apiKey in your SDK or Authorization: Bearer header
  3. ngrok validates the key on every request
  4. Invalid or missing keys are rejected—requests do not fall through to passthrough mode
from openai import OpenAI

client = OpenAI(
    base_url="https://your-ai-gateway.ngrok.app/v1",
    api_key="ng-xxxxx-g1-xxxxx"  # Your AI Gateway API Key
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Hello!"}]
)
Your AI Gateway API Key token is never sent to the provider—ngrok strips it and injects its own managed provider keys.

Per-client keys

Create separate AI Gateway API Keys for each client or application. This enables:
  • Independent revocation: disable one client without affecting others
  • Usage tracking per client: each key tracks last_used so you can see activity
  • Organization: use different descriptions and metadata to identify each client
# Create keys for different clients
ngrok api ai-gateway-api-keys create \
  --endpoint-id ep_xxxxx \
  --description "Production web app"

ngrok api ai-gateway-api-keys create \
  --endpoint-id ep_xxxxx \
  --description "Internal analytics pipeline"

Revoking access

Delete the key via the dashboard, CLI, or API. The key immediately stops working. 
ngrok api ai-gateway-api-keys delete <id>
Or via the API: 
DELETE /ai_gateway_api_keys/{id}
Deletion is permanent. Any client using the revoked key will immediately receive authentication errors.

Additional security layers

You can layer additional protections on top of AI Gateway API Keys using Traffic Policy.

Rate limiting

Limit requests per key to prevent abuse: 
on_http_request:
  - actions:
      - type: rate-limit
        config:
          name: ai-gateway-limit
          algorithm: sliding_window
          capacity: 100
          rate: 100/min
          bucket_key:
            - req.headers['authorization']

IP restrictions

Restrict access to specific IP ranges for an additional layer of defense. See Securing Endpoints (BYOK) for full configuration examples.

Using BYOK?

If you’re managing your own provider keys, you’ll need to add your own authorization layer. See Securing Endpoints (BYOK) for complete examples including secret-based auth, JWT validation, and IP restrictions.

Next steps

AI Gateway API Keys

Learn how API keys work and how to manage them.

Securing Endpoints (BYOK)

Add authorization when managing your own provider keys.

Rate Limiting

Add rate limiting to your gateway.

Restricting Model Access

Control which providers and models clients can use.