
# Create your first API key

API keys (also called *virtual keys*) authenticate every request to the
gateway. They are bearer tokens — anyone holding the string can spend
your credits — so the rest of this page is about creating, scoping, and
rotating them safely.

## Create one

1. **Dashboard → Keys**.
2. Click **New key**.
3. Give it a name that describes where it will be used (`prod-server`,
   `local-dev`, `chatbox-personal`). The name appears in the usage
   history and helps you find the right key to rotate later.
4. (Optional) Set scoping:
   - **Models** — restrict to a list of model IDs (`openai/gpt-4o`,
     `anthropic/claude-sonnet-4-5`).
   - **Region** — pin requests through this key to a region.
   - **Daily limit** — cap spend per day to a credit amount.
5. Click **Create**. The full token shows once — copy it now.

Tokens look like `lr-sk-...` and are 40+ characters. The dashboard only
ever shows the prefix and last four characters again.

## Store it

- **Production** — in your secret manager (Vault, AWS Secrets Manager,
  GCP Secret Manager, sealed Kubernetes secret, …). Never in source
  control.
- **Local development** — in a `.env` file that is in `.gitignore`.
- **Personal tools** — in the OS keychain, or in the tool's own
  encrypted store. Avoid pasting the token into chat applications or
  notes apps that sync to the cloud.

A leaked key can be revoked from the dashboard at any time — see
*Rotate or revoke* below — but it can spend credits in the seconds
between the leak and the revocation. Treat keys like passwords.

## Use it

The header is the standard `Authorization: Bearer`:

```bash
curl https://lowrouter.ai/api/v1/chat/completions \
  -H "Authorization: Bearer $LOWROUTER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "lowrouter/auto",
    "messages": [{"role": "user", "content": "Hello"}]
  }'
```

The `Authorization` header value is exactly `Bearer ` followed by the
token — no quotes, no spaces around the equals. SDKs accept the token
as the constructor's `apiKey`/`api_key` argument; see
[integrations](../integrations/openai-sdk).

## Rotate or revoke

- **Rotate** — create a second key, deploy it everywhere, then delete
  the old one. There is no built-in zero-downtime rotation; the pattern
  above gives you it without one.
- **Revoke** — **Dashboard → Keys → Delete**. The token stops working
  on the next request, no caching delay.

Rotate at least every 90 days, and immediately after any of:

- A key was committed to a repository (even briefly).
- A key was sent over an insecure channel.
- A team member with access to the key left the organisation.
- Unexpected usage shows up on the dashboard.

## Next

[Run your first completion →](first-completion)
