Authentication

Generate, scope, and rotate AnyRouter API keys. Learn about bearer tokens, BYOK (bring your own key), and per-environment isolation.

Edit on GitHub·View as Markdown

Authentication

AnyRouter uses bearer tokens for authentication. Every request must carry an Authorization: Bearer <key> header.

Key format

AnyRouter-issued keys are prefixed with ar-:

TEXT
text
ar-live-abc123def456ghi789jkl012mno345pqr678stu901vwx

The prefix lets you tell AnyRouter keys apart from upstream provider keys in logs, git diffs, and secret scanners.

Sending the header

BASH
bash
curl https://anyrouter.dev/api/v1/chat/completions \
  -H "Authorization: Bearer ar-your-key" \
  -H "Content-Type: application/json" \
  -d '{"model": "openai/gpt-4-turbo", "messages": [{"role": "user", "content": "hi"}]}'

The Anthropic Messages API passthrough at /api/v1/messages accepts x-api-key instead — see the Messages API reference.

Creating keys

Open the API Keys dashboard and click Create key. You can set:

  • Name — a human label (e.g. production-backend, ci-smoketest).
  • Scopes — restrict the key to specific endpoints or models.
  • Expiry — optional hard expiration date.
  • Rate limit override — cap requests-per-minute on this key.

The full key is shown once. Copy it immediately and store it in your secret manager — AnyRouter only retains the prefix after the dialog closes.

Warning

Never commit keys to git. Use environment variables, a secret manager, or runtime injection. If a key leaks, rotate it immediately from the dashboard.

Rotating keys

  1. Create a new key with the same scopes.
  2. Deploy your application with the new key.
  3. Verify traffic on the new key in the usage dashboard.
  4. Delete the old key.

Because AnyRouter keys are opaque and independent from upstream provider keys, rotation is zero-downtime — there's no need to coordinate with Anthropic, OpenAI, or any other provider.

BYOK (bring your own key)

If you prefer to pay providers directly, attach your own provider credentials to AnyRouter under Settings → BYOK. Requests routed through your BYOK credentials are billed to your upstream account — AnyRouter only charges a flat routing fee.

BYOK is ideal for:

  • Enterprises with existing upstream volume discounts.
  • Teams that need data residency guarantees tied to a specific provider region.
  • Users on provider-specific free tiers they want to preserve.

Key scopes

ScopeAllows
completions:writePOST /api/v1/chat/completions, /completions, /messages
embeddings:writePOST /api/v1/embeddings
models:readGET /api/v1/models and metadata
usage:readGET /api/v1/generation/:id, /credits
admin:*Create/delete keys, manage BYOK, manage org

Default-scope keys have completions:write, embeddings:write, models:read, and usage:read.