Authentication

LLM Gateways uses API key authentication for all scan endpoints. Keys are passed via an HTTP header on every request.

The X-API-Key header

POST /api/v1/prompt/scan
X-API-Key: lgk_your_key_here
Content-Type: application/json

All requests to /api/v1/prompt/scan must include a valid X-API-Key header. Requests without a key, or with a revoked/expired key, receive a 401 Unauthorized response.

Creating API keys

1. Sign in to the dashboard
2. Navigate to API Keys in the sidebar
3. Click Create key and give it a descriptive name (e.g. production-chatbot, staging)
4. Copy the key immediately — it is shown only once

Keys are prefixed with lgk_ so they are easy to identify in logs and environment files.

Storing keys safely

• Store keys in environment variables, never in source code
• Use a secrets manager (AWS Secrets Manager, Doppler, Vault) in production
• Give each environment (dev, staging, prod) its own key so you can rotate independently

# .env.local (never commit this file)
LLMGATEWAYS_API_KEY=lgk_your_key_here

import os
LLMG_KEY = os.environ["LLMGATEWAYS_API_KEY"]

const LLMG_KEY = process.env.LLMGATEWAYS_API_KEY!;

Rotating keys

To rotate a key:

1. Create a new key in the dashboard
2. Deploy the new key to your service
3. Delete the old key from the dashboard

There is no downtime — both keys are valid during the transition window.

Error responses

| Status | Reason | |--------|--------| | 401 Unauthorized | Missing, invalid, or revoked API key | | 429 Too Many Requests | Rate limit exceeded |

All error responses include a JSON body:

{
  "detail": "Invalid or missing API key."
}