LowRouter

Create your first API key

API keys (also called virtual keys) authenticate every request to the gateway. They are bearer tokens — anyone holding the string can spend your credits — so the rest of this page is about creating, scoping, and rotating them safely.

Create one

  1. Dashboard → Keys.
  2. Click New key.
  3. Give it a name that describes where it will be used (prod-server, local-dev, chatbox-personal). The name appears in the usage history and helps you find the right key to rotate later.
  4. (Optional) Set scoping:
    • Models — restrict to a list of model IDs (openai/gpt-4o, anthropic/claude-sonnet-4-5).
    • Region — pin requests through this key to a region.
    • Daily limit — cap spend per day to a credit amount.
  5. Click Create. The full token shows once — copy it now.

Tokens look like lr-sk-... and are 40+ characters. The dashboard only ever shows the prefix and last four characters again.

Store it

  • Production — in your secret manager (Vault, AWS Secrets Manager, GCP Secret Manager, sealed Kubernetes secret, …). Never in source control.
  • Local development — in a .env file that is in .gitignore.
  • Personal tools — in the OS keychain, or in the tool’s own encrypted store. Avoid pasting the token into chat applications or notes apps that sync to the cloud.

A leaked key can be revoked from the dashboard at any time — see Rotate or revoke below — but it can spend credits in the seconds between the leak and the revocation. Treat keys like passwords.

Use it

The header is the standard Authorization: Bearer:

Bash
curl https://lowrouter.ai/api/v1/chat/completions \
  -H "Authorization: Bearer $LOWROUTER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "lowrouter/auto",
    "messages": [{"role": "user", "content": "Hello"}]
  }'

The Authorization header value is exactly Bearer followed by the token — no quotes, no spaces around the equals. SDKs accept the token as the constructor’s apiKey/api_key argument; see integrations.

Rotate or revoke

  • Rotate — create a second key, deploy it everywhere, then delete the old one. There is no built-in zero-downtime rotation; the pattern above gives you it without one.
  • RevokeDashboard → Keys → Delete. The token stops working on the next request, no caching delay.

Rotate at least every 90 days, and immediately after any of:

  • A key was committed to a repository (even briefly).
  • A key was sent over an insecure channel.
  • A team member with access to the key left the organisation.
  • Unexpected usage shows up on the dashboard.

Next

Run your first completion →