> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arouter.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Key Management

> Create and manage API keys with provider restrictions, rate limits, spending limits, and expiry.

## Overview

ARouter uses two types of keys:

| Key Type           | Prefix         | Purpose                                                           |
| ------------------ | -------------- | ----------------------------------------------------------------- |
| **Management Key** | `lr_mgmt_xxxx` | Create, list, update, and delete API keys via the management API. |
| **API Key**        | `lr_live_xxxx` | Make LLM requests (chat completions, embeddings, etc.).           |

Management keys can create API keys with scoped access:

* **Allowed providers** — e.g. only OpenAI and Anthropic
* **Allowed models** — e.g. only `gpt-5.4` and `claude-sonnet-4.6`
* **Spending limits** — max budget per day/week/month
* **Expiry** — auto-expire after a date

```
Management Key: lr_mgmt_abc123
  ├── API Key 1: lr_live_def456  (OpenAI+Anthropic, $150/month, expires Dec 2025)
  ├── API Key 2: lr_live_ghi789  (DeepSeek only, $50/day)
  └── API Key 3: lr_live_jkl012  (all providers, unlimited)
```

## Create an API Key

<Tabs>
  <Tab title="cURL">
    ```bash theme={null}
    curl -X POST https://api.arouter.ai/api/v1/keys \
      -H "Authorization: Bearer lr_mgmt_xxxx" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "production-backend",
        "allowed_providers": ["openai", "anthropic"],
        "allowed_models": ["gpt-5.4", "claude-sonnet-4.6"],
        "limit": 150,
        "limit_reset": "monthly",
        "expires_at": "2025-12-31T23:59:59Z"
      }'
    ```
  </Tab>

  <Tab title="Python">
    ```python theme={null}
    import requests

    resp = requests.post(
        "https://api.arouter.ai/api/v1/keys",
        headers={"Authorization": "Bearer lr_mgmt_xxxx"},
        json={
            "name": "production-backend",
            "allowed_providers": ["openai", "anthropic"],
            "limit": 150,
            "limit_reset": "monthly",
            "expires_at": "2025-12-31T23:59:59Z",
        },
    )
    data = resp.json()
    print("API Key:", data["key"])
    ```
  </Tab>

  <Tab title="Go">
    ```go theme={null}
    key, err := client.CreateKey(ctx, &arouter.CreateKeyRequest{
        Name:             "production-backend",
        AllowedProviders: []string{"openai", "anthropic"},
        Limit:            float64Ptr(150),
        LimitReset:       "monthly",
    })
    fmt.Println("API Key:", key.Key)
    ```
  </Tab>

  <Tab title="Node.js">
    ```typescript theme={null}
    const key = await router.createKey({
      name: "production-backend",
      allowed_providers: ["openai", "anthropic"],
      limit: 150,
      limit_reset: "monthly",
    });
    console.log("API Key:", key.key);
    ```
  </Tab>
</Tabs>

<Info>
  The `key` field is only returned **once** at creation time. Store it securely — you cannot
  retrieve it later.
</Info>

## Response

```json theme={null}
{
  "data": {
    "hash": "abc123...",
    "name": "production-backend",
    "key_type": "regular",
    "disabled": false,
    "limit": 150,
    "limit_remaining": 150,
    "limit_reset": "monthly",
    "allowed_providers": ["openai", "anthropic"],
    "allowed_models": ["gpt-5.4", "claude-sonnet-4.6"],
    "usage": 0,
    "created_at": "2025-01-15T10:30:00Z",
    "expires_at": "2025-12-31T23:59:59Z"
  },
  "key": "lr_live_xxxxxxxxxxxxxxxx"
}
```

## List API Keys

```bash theme={null}
curl "https://api.arouter.ai/api/v1/keys?page_size=20" \
  -H "Authorization: Bearer lr_mgmt_xxxx"
```

Supports pagination with `page_size`, `page_token`, and `offset` query parameters.

## Update an API Key

```bash theme={null}
curl -X PATCH https://api.arouter.ai/api/v1/keys/KEY_HASH \
  -H "Authorization: Bearer lr_mgmt_xxxx" \
  -H "Content-Type: application/json" \
  -d '{"disabled": true}'
```

You can update `name`, `disabled`, `limit`, `limit_reset`, `allowed_providers`, and `allowed_models`.

## Delete an API Key

```bash theme={null}
curl -X DELETE https://api.arouter.ai/api/v1/keys/KEY_HASH \
  -H "Authorization: Bearer lr_mgmt_xxxx"
```

Deleted keys are immediately invalidated and cannot be restored.

## Use Cases

| Scenario                  | Configuration                                           |
| ------------------------- | ------------------------------------------------------- |
| **Per-service isolation** | One API key per microservice with specific model access |
| **Cost control**          | Spending limits per team or environment                 |
| **Temporary access**      | Short-lived keys with `expires_at` for contractors      |
| **Provider lockdown**     | Restrict staging to cheap models only                   |
| **Rate protection**       | Adjust limits per key via the dashboard                 |
