Key Management
What the key is for
An API key identifies your account, group, or access scope. Whether you use a terminal tool, IDE plugin, or script, first confirm that the key was issued by the current instance and is still valid.
What to confirm before use
- Which account or group the key belongs to
- Whether it has expired or been disabled
- Whether it is limited by quota, rate, or model scope
- Whether it must be used with a specific relay base URL
Safe usage advice
- Prefer environment variables instead of hardcoding the key in scripts or repositories.
- Do not paste the full key into tickets, chats, or screenshots.
- If support needs context, provide only a masked identifier.
- If multiple tools share one key, confirm that the quota window and rate limit are sufficient.
Rotation advice
Rotate the key when any of the following happens:
- You suspect the key was exposed
- The operator, device, or access owner changed
- You need to move to a different plan, group, or permission boundary
- The previous key is about to expire or is no longer used
When rotating, create and validate the new key first, then retire the old one to avoid breaking live traffic.
Common troubleshooting directions
If requests are rejected, usage looks abnormal, or clients behave differently, first check:
- Whether the full key was copied correctly
- Whether the environment variable was actually loaded
- Whether the client is reading the expected config file
- Whether the key belongs to the same deployment as the current base URL
- Whether quota, rate, or policy limits were triggered
What to send to support
- A masked key identifier
- Approximate time of the issue
- The client or tool you used
- The affected model or endpoint
- Error text, response body, or screenshot