Authentication

API key types, scopes, rate limits, and authentication methods for the AllRoutes API.

Overview

AllRoutes uses API keys for authentication. Every request to the API must include a valid key in the Authorization header as a Bearer token.

Authorization: Bearer allroutes_sk_...

API Key Types

AllRoutes issues three types of API keys, each with a distinct prefix:

Secret Keys (allroutes_sk_)

Secret keys are the standard authentication method for server-side applications. They have full access to the API based on their configured scopes.

  • Use for: Backend services, server-side applications, scripts
  • Security: Never expose in client-side code or public repositories
  • Example: allroutes_sk_a1b2c3d4e5f6...

Public Keys (allroutes_pk_)

Public keys are designed for client-side applications with restricted permissions. They can only access a subset of endpoints and have stricter rate limits.

  • Use for: Browser-based apps, mobile apps, public-facing clients
  • Security: Safe to include in client-side bundles (with origin restrictions)
  • Example: allroutes_pk_x9y8z7w6v5u4...

Management Keys (allroutes_mgmt_)

Management keys provide access to administrative endpoints for managing your organization, keys, and billing.

  • Use for: Automation scripts, CI/CD pipelines, admin dashboards
  • Security: Treat with the same care as secret keys
  • Example: allroutes_mgmt_m1n2o3p4q5r6...

Creating API Keys

  1. Sign in to the AllRoutes Dashboard
  2. Navigate to Settings > API Keys
  3. Click Create New Key
  4. Configure the key:
    • Name -- a human-readable label for identification
    • Type -- secret, public, or management
    • Scopes -- which API endpoints the key can access
    • Rate Limits -- requests per minute (RPM) cap
    • Budget -- daily and/or monthly spend limits in USD
    • Allowed Models -- restrict to specific models (optional)
    • Expiration -- set an expiry date (optional)
  5. Copy the key immediately -- it will not be shown again

Per-Key Scopes

Each key can be granted a subset of permissions:

ScopeDescription
chat:completionsCreate chat completions
embeddingsCreate embeddings
models:readList and view models
keys:manageCreate, update, and delete API keys
billing:readView credit balance and transactions
billing:writeTop up credits and manage subscriptions
presets:readList presets
presets:writeCreate, update, and delete presets
cache:manageConfigure and purge cache
providers:manageManage BYOK provider keys

Rate Limits

Rate limits are enforced per key and can be configured when creating or updating a key.

PlanDefault RPMDefault Daily Budget
Free60 RPM$5/day
Pro600 RPM$100/day
EnterpriseCustomCustom

Rate limit headers are included in every response:

X-RateLimit-Limit: 600
X-RateLimit-Remaining: 594
X-RateLimit-Reset: 1714000000

When a rate limit is exceeded, the API returns a 429 Too Many Requests response.

Budget Controls

Set spending limits per key to prevent runaway costs:

  • daily_budget_usd -- maximum spend per calendar day
  • monthly_budget_usd -- maximum spend per calendar month

When a budget is exhausted, requests return 402 Payment Required until the next period begins.

JWT Authentication (Dashboard)

The AllRoutes dashboard uses JWT-based authentication for browser sessions. JWTs are issued upon login and include:

  • User identity and organization membership
  • Session expiration (configurable)
  • Refresh token rotation for long-lived sessions

JWTs are not used for API access -- use API keys for programmatic access.

Best Practices

  1. Rotate keys regularly -- delete old keys and create new ones periodically
  2. Use scoped keys -- grant only the permissions each service needs
  3. Set budgets -- always configure daily/monthly limits on production keys
  4. Use environment variables -- never hardcode keys in source code
  5. Monitor usage -- check the dashboard for unusual activity patterns
# Store your key in an environment variable
export ALLROUTES_API_KEY="allroutes_sk_..."
import os
from allroutes import AllRoutesClient

client = AllRoutesClient(api_key=os.environ["ALLROUTES_API_KEY"])

See Also