AI Gateway Virtual Keys
A Virtual Key is a credential issued by the AI Gateway for accessing gateway proxy endpoints. You distribute Virtual Keys to your applications and AI tools, while the real vendor API Key is securely stored on the gateway side only. This approach not only prevents your real key from being exposed but also allows you to individually manage permissions, rate limits, rotation, and revocation for each Virtual Key. This guide details how to manage the entire lifecycle of your Virtual Keys.
Why Use Virtual Keys
- Protect Real API Keys — Applications and tools only interact with Virtual Keys; your actual vendor keys are never exposed.
- Fine-Grained Permission Control — Create different Virtual Keys for distinct projects/tools, each with its own restrictions on accessible models, channels, and rate limits.
- Instant Revocation — If a key becomes compromised or is no longer needed, revoke or rotate it instantly without affecting others.
Prerequisites
- You are logged into your ServBay account.
- You have added at least one available channel on the Channels page.
Creating a Virtual Key
Go to AI Gateway → Keys, then click Create:
- Name — Used to identify the purpose of the key (e.g.,
claude-code,my-app-dev). - Description (optional) — Additional notes or explanations.
- Expiration Time — Set to never expire or specify a date.
- Allowed Channels (optional) — Selectable tags to restrict which channels this key can be routed to; leave blank for no restrictions.
- Allowed Models (optional) — Limit this key to specific models; leave blank for no restrictions.
- Rate Limits (optional):
- RPM / TPM — Maximum requests or tokens per minute.
- RPD / TPD — Maximum requests or tokens per day.
Plaintext key is shown only once
Upon successful creation, the gateway will display the plaintext key only once (e.g., servbay-sk-xxxxxxxx...). Be sure to copy and store it immediately. After closing, only the key prefix will be viewable for identification; the full plaintext cannot be viewed again. If lost, you can only generate a new one via "Rotate".
Key List
The key list displays for each Virtual Key:
- Prefix — For example,
servbay-sk-abcd..., used for identification. - Status — Active, Revoked, or Expired.
- Creation / Last Used Time
- Permission Tags — Allowed models/channels, rate limits.
Managing Virtual Keys
In the key list, you can perform the following actions for each key:
| Action | Description | Effect |
|---|---|---|
| Edit | Modify name, description, allowed models/channels, rate limits | Takes effect immediately; the key itself remains unchanged |
| Rotate | Regenerate the plaintext key, immediately invalidating the old key; new plaintext is shown once | All applications/tools using this key must be updated |
| Revoke | Immediately deactivate the key, but keep it in the audit log | Irreversible; all requests using this key will be denied |
| Delete | Permanently remove the key | Irreversible |
Rotate vs. Revoke
- Rotate: The key record stays, but you get a new plaintext value. Suitable if you suspect a key has leaked but want to keep its configuration—remember to update clients.
- Revoke: Permanently disables the key but retains the record for auditing purposes. Use when a key is no longer needed. Both actions require confirmation before proceeding.
Integration with One-Click Takeover
When you use One-Click Takeover to point an AI tool to the gateway, the gateway will automatically generate a dedicated Virtual Key for that tool and configure it accordingly. You can also manually manage these automatically created keys on the Keys page.
Frequently Asked Questions (FAQ)
- Q: What if I forget to copy the plaintext key?
- A: Once closed, the plaintext key cannot be viewed again. You need to "Rotate" the key and use the new plaintext value in your applications.
- Q: What's the difference between revoke and delete?
- A: Revoking keeps the key record for auditing; deleting removes it entirely. Both actions immediately disable the key.
- Q: What happens if I restrict "Allowed Models" and the app requests another model?
- A: The gateway will reject any request for models outside the allowed list. Make sure your app's models are included or remove the restriction.
- Q: What happens if rate limits are exceeded?
- A: Requests exceeding the RPM/TPM/RPD/TPD will be throttled by the gateway. Review usage on the Statistics page and adjust limits as needed.
Summary
Virtual Keys let you deliver AI capabilities to your applications and tools with minimal, revocable permissions. With model/channel restrictions and rate limits, you can create tailored credentials for each use case, and rotate or revoke them at any time—all while keeping your real vendor API Keys secure.
