Authentication
Every request to api.aigateway.sh is authenticated with a bearer token. Keys are created in the dashboard, shown exactly once at creation, and can be revoked at any time.
Mint a key
Sign in, open the API keys page, and click Create key. Copy the sk-aig-… token — we never show it again. Name the key after the app or environment that will carry it (e.g. production-api, ci-eval-runner).
Use the key
Pass the key via the Authorization header on every call. Never embed keys in client-side code — route calls through your backend or use a scoped ephemeral key.
export AIG_KEY="sk-aig-..." curl https://api.aigateway.sh/v1/models \ -H "Authorization: Bearer $AIG_KEY"
Scoped keys
Keys inherit your account's tier and spending ceiling by default. For agents and sub-tenants, create a scoped key that clamps:
- Monthly spend ceiling (hard — requests past it fail fast)
- Model allow-list (only
moonshot/*, only embeddings, etc.) - Rate limit (lower than your tier's ceiling)
- Expiration (automatic key death on a fixed timestamp)
Scoped keys still bill against your master account. See the API reference for the full schema.
Rotation
Revoke compromised keys instantly from the dashboard — the ban propagates to the edge within seconds. Emit key.rotated webhooks by posting to /v1/keys/{id}/rotate; the old key is deactivated when the new one is first used.
Troubleshooting
| Response | Meaning |
|---|---|
401 invalid_key | Missing, malformed, or revoked — re-check the header spelling. |
403 scope_exceeded | Key is scoped; request hit its allow-list or spend limit. |
429 rate_limited | Tier or per-key RPM exceeded — see Rate limits. |