API Keys
API keys give service-account access to the proxy — CI pipelines, Claude Desktop, and scripts that can’t run the interactive OAuth helper.
Format
ar_live_<base62_random_32chars> # production proxy
ar_test_<base62_random_32chars> # dev proxyThe prefix makes leaked keys grep-able. Only the first 8 characters
(prefix) are stored for lookup; the full value is stored as a
bcrypt hash (cost 12).
Fields
| Field | Notes |
|---|---|
key_id | System-generated UUID |
prefix | First 8 chars of the raw key (DynamoDB lookup key) |
bcrypt_hash | bcrypt of the full raw value |
name | Human label, e.g. “GitHub Actions prod” |
scopes | proxy:invoke in the MVP |
allowed_models | If absent, inherits from the associated user’s grant |
allowed_regions | If absent, inherits from the grant or tenant default |
monthly_budget_usd | Optional per-key budget cap |
expires_at | If set, the key is auto-rejected after this date |
last_used_at | Updated on every authenticated use |
status | active / revoked |
Lifecycle
The raw key value is returned once at creation and never stored in plain text or retrievable again. The console shows it in a copy-once modal with an “I’ve copied this key” confirmation.
- Rotate: create a new key → update the caller’s config → revoke the old key. Both work during the transition window.
- Revoke: takes effect on the next request — the lookup returns
status=revokedand the proxy responds 401.
Last updated on