API Key & Secret Management
Secure API key management for multiple LLM providers with automatic discovery
The AI Gateway securely manages API keys and sensitive credentials for all configured LLM providers using environment variables with automatic discovery and secure handling.
Benefits:
✅ The gateway automatically uses the correct API key for whichever provider it routes to!
- Centralize credential access so developers only need the router URL, not individual provider API keys
- Reduce credential sprawl by keeping all provider secrets in one secure location instead of distributing them
- Simplify configuration with automatic API key discovery based on configured providers
- Enable multi-provider setups by managing credentials for multiple LLM providers simultaneously
Quick Start
1
Set your provider API keys
Set up your .env file with your PROVIDER_API_KEYs:
2
Configure your providers
Create
ai-gateway-config.yaml with your desired providers:3
Start the gateway
4
Test secret management
Storage Options
Environment Variables - Default
Environment Variables - Default
Local environment variable storageThe AI Gateway automatically discovers and loads API keys from environment variables based on your configuration. It looks for
{PROVIDER_NAME}_API_KEY environment variables for each configured provider.Best for: Most deployments, development environments, and simple production setupsHow it works:- Read configuration - Identifies which providers are configured in your routers
- Load environment variables - Looks for
{PROVIDER_NAME}_API_KEYfor each provider - Validate at request time - Checks for required API keys when a request is routed to a specific provider
Cloud secret manager integrations (AWS Secrets Manager, Google Secret Manager, Azure Key Vault, HashiCorp Vault) are coming soon for enterprise deployments.
Use Cases
Use case: Production environment using multiple cloud providers for reliability and cost optimization.Set up your .env file with your PROVIDER_API_KEYs:
How It Works
Request Flow
1
Configuration Read
Gateway reads your configuration and identifies which providers are configured across all routers
2
Environment Variable Discovery
Gateway automatically looks for
{PROVIDER_NAME}_API_KEY environment variables for each configured provider3
Request Arrives
A request comes in and the load balancer selects a provider based on your strategy
4
API Key Validation
Gateway checks if the required API key is available for the selected provider
5
Secure Forwarding
Request is forwarded to the provider with the appropriate API key, keeping credentials secure from the client
Supported Providers
The AI Gateway supports API key management for the following providers:| Provider | Environment Variable | Required | Notes |
|---|---|---|---|
| OpenAI | OPENAI_API_KEY | Yes | Standard OpenAI API key |
| Anthropic | ANTHROPIC_API_KEY | Yes | Claude API key |
| Gemini | GEMINI_API_KEY | Yes | Google AI Studio API key |
| AWS Bedrock | AWS_ACCESS_KEY, AWS_SECRET_KEY | Yes | AWS access key and secret key |
| Mistral | MISTRAL_API_KEY | Yes | Mistral API key |
| Ollama | N/A | No | Local deployment, no key needed |
You only need to set environment variables for providers you actually use. If you make a request to a provider without a configured API key, the request will fail with a clear error message.
Error Handling
The AI Gateway provides clear error messages for secret management issues:Provider Keys Not Found
Provider Keys Not Found
Error: No API keys loaded for the routerSolution: Ensure environment variables are set for all providers used in your router configuration.
Authentication Failures
Authentication Failures
Error: Provider rejects the API key during requestSolution: Verify your API key is valid and has the required permissions with the provider. Authentication errors come directly from the provider’s API, not the gateway.
Missing Environment Variables
Missing Environment Variables
Behavior: Requests to providers without API keys will failIf you configure a provider in your router but don’t set the corresponding environment variable, requests to that provider will fail when attempted.Solution: Set the required environment variables:
- OpenAI:
OPENAI_API_KEY - Anthropic:
ANTHROPIC_API_KEY - Gemini:
GEMINI_API_KEY - AWS Bedrock:
AWS_ACCESS_KEY+AWS_SECRET_KEY
Security Best Practices
Credential Isolation
1
Router-Only Access
Keep provider keys in the router infrastructure only - developers and applications never handle actual provider API keys
2
Environment Variable Security
Only the router instances need access to
{PROVIDER_NAME}_API_KEY environment variables3
Client Authentication
Applications authenticate with the router URL instead of individual providers
4
Optional Gateway Authentication
Optionally enable Helicone authentication to require API keys for router access
Observability & Monitoring
Track usage and security through integrated monitoring:- Monitor API key usage - Track costs and request traces per provider
- Audit logs - See which requests used which provider keys
- Cost alerts - Set up usage monitoring and alerts per provider
- Request tracing - Full observability through Helicone integration
For complete configuration options and syntax, see the Configuration Reference.
Coming Soon
The following secret management features are planned for future releases:| Feature | Description | Version |
|---|---|---|
| AWS Secrets Manager | Native integration with automatic rotation and cross-region replication | v2 |
| Google Secret Manager | GCP-native secret management with IAM integration | v2 |
| Azure Key Vault | Microsoft Azure secret management with enterprise governance | v2 |
| HashiCorp Vault | Enterprise-grade secret management with dynamic secrets | v2 |