Browse docs
--- title: "Managed API Keys" description: "Issue scoped gateway credentials with user paths, routing restrictions, expiry, rate limits, and usage stats." icon: "key-round" ---
Overview
Managed API keys are gateway-issued credentials for applications, services, teams, tenants, or customers. They let callers use Aurora without receiving upstream provider secrets.
A managed key can carry user_path, allowed providers, allowed models, denied models, a provider pool binding, expiry, and request or token rate limits. In Enterprise profiles, keys can also carry a tenant_id for multi-tenant scoping.
Requests authenticated with a managed key use the key's effective user_path for usage, audit logs, workflows, model access, and routing policy. In Enterprise profiles, the key's tenant_id also scopes these systems.
Manual management
Use the dashboard at Auth Keys to issue keys, review active keys, inspect key usage, and deactivate old keys.
The raw secret value is returned only when the key is created. Store it in your secret manager immediately. Later list endpoints show metadata, not the raw key.
Server API automation
For endpoint reference see the Admin API section.
curl -X POST http://your-aurora-host/admin/api/v1/auth-keys \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "team-alpha-service",
"description": "Backend service key",
"tenant_id": "team-alpha",
"user_path": "/team/alpha/service",
"allowed_providers": ["openai-primary"],
"allowed_models": ["<model id returned by /admin/api/v1/models>"],
"denied_models": [],
"provider_pool_id": "",
"rate_limits": {
"requests_per_minute": 60,
"tokens_per_day": 1000000
}
}'Use managed keys for callers. Keep AURORA_MASTER_KEY restricted to operators and automation that must administer the gateway.