# Authentication > Generate, scope, and rotate AnyRouter API keys. Learn about bearer tokens, BYOK (bring your own key), and per-environment isolation. # Authentication AnyRouter uses bearer tokens for authentication. Every request must carry an `Authorization: Bearer ` header. ## Key format AnyRouter-issued keys are prefixed with `ar-`: ```text ar-live-abc123def456ghi789jkl012mno345pqr678stu901vwx ``` The prefix lets you tell AnyRouter keys apart from upstream provider keys in logs, git diffs, and secret scanners. ## Sending the header ```bash curl https://anyrouter.dev/api/v1/chat/completions \ -H "Authorization: Bearer ar-your-key" \ -H "Content-Type: application/json" \ -d '{"model": "openai/gpt-4-turbo", "messages": [{"role": "user", "content": "hi"}]}' ``` The Anthropic Messages API passthrough at `/api/v1/messages` accepts `x-api-key` instead — see the [Messages API reference](/docs/api-reference/messages). ## Creating keys Open the [API Keys dashboard](/dashboard/keys) and click **Create key**. You can set: - **Name** — a human label (e.g. `production-backend`, `ci-smoketest`). - **Scopes** — restrict the key to specific endpoints or models. - **Expiry** — optional hard expiration date. - **Rate limit override** — cap requests-per-minute on this key. The full key is shown **once**. Copy it immediately and store it in your secret manager — AnyRouter only retains the prefix after the dialog closes. :::warning Never commit keys to git. Use environment variables, a secret manager, or runtime injection. If a key leaks, rotate it immediately from the dashboard. ::: ## Rotating keys 1. Create a new key with the same scopes. 2. Deploy your application with the new key. 3. Verify traffic on the new key in the [usage dashboard](/dashboard/usage). 4. Delete the old key. Because AnyRouter keys are opaque and independent from upstream provider keys, rotation is zero-downtime — there's no need to coordinate with Anthropic, OpenAI, or any other provider. ## BYOK (bring your own key) If you prefer to pay providers directly, attach your own provider credentials to AnyRouter under **Settings → BYOK**. Requests routed through your BYOK credentials are billed to your upstream account — AnyRouter only charges a flat routing fee. BYOK is ideal for: - Enterprises with existing upstream volume discounts. - Teams that need data residency guarantees tied to a specific provider region. - Users on provider-specific free tiers they want to preserve. ## Key scopes | Scope | Allows | |---|---| | `completions:write` | POST `/api/v1/chat/completions`, `/completions`, `/messages` | | `embeddings:write` | POST `/api/v1/embeddings` | | `models:read` | GET `/api/v1/models` and metadata | | `usage:read` | GET `/api/v1/generation/:id`, `/credits` | | `admin:*` | Create/delete keys, manage BYOK, manage org | Default-scope keys have `completions:write`, `embeddings:write`, `models:read`, and `usage:read`.