API Key & Secret Management

The AI Gateway securely manages API keys and sensitive credentials for all configured LLM providers using environment variables with automatic discovery and secure handling.

Benefits:

Centralize credential access so developers only need the router URL, not individual provider API keys
Reduce credential sprawl by keeping all provider secrets in one secure location instead of distributing them
Simplify configuration with automatic API key discovery based on configured providers
Enable multi-provider setups by managing credentials for multiple LLM providers simultaneously

Quick Start

Set your provider API keys

Set environment variables for the providers you want to use:

export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."
export GEMINI_API_KEY="..."

Configure your providers

Create ai-gateway-config.yaml with your desired providers:

routers:
  my-router:
    load-balance:
      chat:
        strategy: latency
        providers:
          - openai      # Uses OPENAI_API_KEY
          - anthropic   # Uses ANTHROPIC_API_KEY
          - gemini      # Uses GEMINI_API_KEY

Start the gateway

npx @helicone/ai-gateway@latest --config ai-gateway-config.yaml

Test secret management

curl -X POST http://localhost:8080/router/my-router/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

✅ The gateway automatically uses the correct API key for whichever provider it routes to!

Storage Options

Environment Variables - Default

Local environment variable storage

The AI Gateway automatically discovers and loads API keys from environment variables based on your configuration. It looks for {PROVIDER_NAME}_API_KEY environment variables for each configured provider.

Best for: Most deployments, development environments, and simple production setups

How it works:

Read configuration - Identifies which providers are configured in your routers
Load environment variables - Looks for {PROVIDER_NAME}_API_KEY for each provider
Validate at request time - Checks for required API keys when a request is routed to a specific provider

Example:

export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."

routers:
  my-router:
    load-balance:
      chat:
        strategy: latency
        providers: [openai, anthropic]

Cloud secret manager integrations (AWS Secrets Manager, Google Secret Manager, Azure Key Vault, HashiCorp Vault) are coming soon for enterprise deployments.

Use Cases

Use case: Production environment using multiple cloud providers for reliability and cost optimization.

# Set API keys for configured providers
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."
export GEMINI_API_KEY="..."

routers:
  production:
    load-balance:
      chat:
        strategy: latency
        providers: [openai, anthropic, gemini]

Use case: Production environment using multiple cloud providers for reliability and cost optimization.

# Set API keys for configured providers
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."
export GEMINI_API_KEY="..."

routers:
  production:
    load-balance:
      chat:
        strategy: latency
        providers: [openai, anthropic, gemini]

Use case: Development setup using local Ollama models for testing and cloud providers for comparison.

# Only need keys for cloud providers
export OPENAI_API_KEY="sk-..."
# Ollama runs locally, no key needed

routers:
  development:
    load-balance:
      chat:
        strategy: weighted
        providers:
          - provider: ollama     # No API key required
            weight: 0.8
          - provider: openai     # Requires OPENAI_API_KEY
            weight: 0.2

Use case: Different environments with different provider configurations and API key management.

# Production
export OPENAI_API_KEY="sk-prod-..."
export ANTHROPIC_API_KEY="sk-ant-prod-..."

# Staging
export OPENAI_API_KEY="sk-staging-..."
export ANTHROPIC_API_KEY="sk-ant-staging-..."

# Development - Local only
# No API keys needed for Ollama

How It Works

Request Flow

Configuration Read

Gateway reads your configuration and identifies which providers are configured across all routers

Environment Variable Discovery

Gateway automatically looks for {PROVIDER_NAME}_API_KEY environment variables for each configured provider

Request Arrives

A request comes in and the load balancer selects a provider based on your strategy

API Key Validation

Gateway checks if the required API key is available for the selected provider

Secure Forwarding

Request is forwarded to the provider with the appropriate API key, keeping credentials secure from the client

Supported Providers

The AI Gateway supports API key management for the following providers:

Provider	Environment Variable	Required	Notes
OpenAI	`OPENAI_API_KEY`	Yes	Standard OpenAI API key
Anthropic	`ANTHROPIC_API_KEY`	Yes	Claude API key
Gemini	`GEMINI_API_KEY`	Yes	Google AI Studio API key
AWS Bedrock	`BEDROCK_API_KEY`	Yes	AWS access key
VertexAI	`VERTEXAI_API_KEY`	Yes	GCP service account key
Ollama	N/A	No	Local deployment, no key needed

You only need to set environment variables for providers you actually use. If you make a request to a provider without a configured API key, the request will fail with a clear error message.

Error Handling

The AI Gateway provides clear error messages for secret management issues:

Provider Keys Not Found

Error: No API keys loaded for the router

Error: Provider keys not found for router: production

Solution: Ensure environment variables are set for all providers used in your router configuration.

Authentication Failures

Error: Provider rejects the API key during request

HTTP 401 Unauthorized from provider

Solution: Verify your API key is valid and has the required permissions with the provider. Authentication errors come directly from the provider’s API, not the gateway.

Missing Environment Variables

Security Best Practices

Credential Isolation

Router-Only Access

Keep provider keys in the router infrastructure only - developers and applications never handle actual provider API keys

Environment Variable Security

Only the router instances need access to {PROVIDER_NAME}_API_KEY environment variables

Client Authentication

Applications authenticate with the router URL instead of individual providers

Optional Gateway Authentication

Optionally enable Helicone authentication to require API keys for router access

Observability & Monitoring

Track usage and security through integrated monitoring:

Monitor API key usage - Track costs and request traces per provider
Audit logs - See which requests used which provider keys
Cost alerts - Set up usage monitoring and alerts per provider
Request tracing - Full observability through Helicone integration

For complete configuration options and syntax, see the Configuration Reference.

Coming Soon

The following secret management features are planned for future releases:

Feature	Description	Version
AWS Secrets Manager	Native integration with automatic rotation and cross-region replication	v2
Google Secret Manager	GCP-native secret management with IAM integration	v2
Azure Key Vault	Microsoft Azure secret management with enterprise governance	v2
HashiCorp Vault	Enterprise-grade secret management with dynamic secrets	v2

Getting Started

Integrations

Tracing

Prompt Engineering

AI Gateway

References

Quick Start

Storage Options

Use Cases

How It Works

Request Flow

Supported Providers

Error Handling

Security Best Practices

Credential Isolation

Observability & Monitoring

Coming Soon

Getting Started

Integrations

Tracing

Prompt Engineering

AI Gateway

References

​Quick Start

​Storage Options

​Use Cases

​How It Works

​Request Flow

​Supported Providers

​Error Handling

​Security Best Practices

​Credential Isolation

​Observability & Monitoring

​Coming Soon

Quick Start

Storage Options

Use Cases

How It Works

Request Flow

Supported Providers

Error Handling

Security Best Practices

Credential Isolation

Observability & Monitoring

Coming Soon