Create your first API key
API keys (also called virtual keys) authenticate every request to the gateway. They are bearer tokens — anyone holding the string can spend your credits — so the rest of this page is about creating, scoping, and rotating them safely.
Create one
- Dashboard → Keys.
- Click New key.
- Give it a name that describes where it will be used (
prod-server,local-dev,chatbox-personal). The name appears in the usage history and helps you find the right key to rotate later. - (Optional) Set scoping:
- Models — restrict to a list of model IDs (
openai/gpt-4o,anthropic/claude-sonnet-4-5). - Region — pin requests through this key to a region.
- Daily limit — cap spend per day to a credit amount.
- Models — restrict to a list of model IDs (
- Click Create. The full token shows once — copy it now.
Tokens look like lr-sk-... and are 40+ characters. The dashboard only
ever shows the prefix and last four characters again.
Store it
- Production — in your secret manager (Vault, AWS Secrets Manager, GCP Secret Manager, sealed Kubernetes secret, …). Never in source control.
- Local development — in a
.envfile that is in.gitignore. - Personal tools — in the OS keychain, or in the tool’s own encrypted store. Avoid pasting the token into chat applications or notes apps that sync to the cloud.
A leaked key can be revoked from the dashboard at any time — see Rotate or revoke below — but it can spend credits in the seconds between the leak and the revocation. Treat keys like passwords.
Use it
The header is the standard Authorization: Bearer:
curl https://lowrouter.ai/api/v1/chat/completions \
-H "Authorization: Bearer $LOWROUTER_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "lowrouter/auto",
"messages": [{"role": "user", "content": "Hello"}]
}'The Authorization header value is exactly Bearer followed by the
token — no quotes, no spaces around the equals. SDKs accept the token
as the constructor’s apiKey/api_key argument; see
integrations.
Rotate or revoke
- Rotate — create a second key, deploy it everywhere, then delete the old one. There is no built-in zero-downtime rotation; the pattern above gives you it without one.
- Revoke — Dashboard → Keys → Delete. The token stops working on the next request, no caching delay.
Rotate at least every 90 days, and immediately after any of:
- A key was committed to a repository (even briefly).
- A key was sent over an insecure channel.
- A team member with access to the key left the organisation.
- Unexpected usage shows up on the dashboard.