Understanding API Fundamentals
Every interaction with the OpenRouter platform begins with an API key — a cryptographically generated credential that authenticates your requests and determines what resources your application can access. Understanding key types, permission scoping, and security best practices before you write your first API call prevents configuration mistakes that can lead to unauthorized access or service interruptions down the line.
-
Key Types & Permission Scopes
OpenRouter offers multiple API key types with configurable permission scopes to match your security and operational requirements — from read-only keys for dashboards to fully-scoped keys for production workloads.
View key type comparison → -
Authentication Methods
The platform supports Bearer token authentication via the standard Authorization header, with optional IP allowlisting and key expiration for enhanced security in production environments.
Read authentication details → -
API Key Security
Protect your credentials with environment variable storage, automated key rotation, and usage monitoring. Learn the security architecture that keeps your OpenRouter keys safe from exposure.
Explore security practices → -
Rate Limits & Quotas
Each API key operates within configurable rate limits that prevent runaway costs and protect shared infrastructure. Understand how limits are applied and how to request increases.
Review rate limit policies →
API Key Types and Permission Configuration
OpenRouter provides three distinct API key types, each designed for different stages of the development lifecycle and security postures. Choosing the right key type for each use case limits the blast radius of a potential credential leak and makes access auditing more straightforward.
Standard keys provide full account access and are suitable for individual developers who need unrestricted API usage. Scoped keys let you restrict access to specific model families, limit spending to a defined budget, or grant read-only access for monitoring dashboards. Team keys support multi-user workspaces where administrators need to delegate access to developers without sharing account-level credentials that could be used to modify billing settings or view sensitive financial data.
The permission model follows the principle of least privilege — keys should only carry the permissions necessary for their intended workload. A key used by a CI/CD pipeline to run automated model evaluations, for instance, requires only model invocation permission and a spending cap, not access to team management or billing functions. Configuring permissions precisely during key creation reduces the operational overhead of monitoring for unusual key usage patterns after deployment.
| Key Type | Permissions | Default Rate Limit |
|---|---|---|
| Standard Key | Full account access — models, billing, team management | 600 requests/min |
| Scoped Key | Configurable — model-specific, read-only, spending-capped | 300 requests/min |
| Team Key | Workspace-scoped — shared credit pool, role-based limits | 200 requests/min per member |
| Read-Only Key | Dashboard access only — no model invocation, no billing changes | 120 requests/min |
| Ephemeral Key | Time-limited — auto-expires after configured duration | 150 requests/min |
How OpenRouter Authenticates API Requests
OpenRouter authenticates every API request using Bearer token authentication — the industry-standard method for REST API security. Your API key travels in the HTTP Authorization header, encrypted in transit by TLS 1.3, and is validated by the platform's authentication service before any model invocation occurs.
To authenticate a request, include the header Authorization: Bearer YOUR_API_KEY in every HTTP call to the OpenRouter base URL. The platform rejects requests that omit this header with a 401 Unauthorized response. Keys that have been revoked, expired, or disabled return the same 401 status, making it straightforward for client code to detect and handle authentication failures uniformly.
For additional security in production deployments, OpenRouter supports IP allowlisting at the key level. When configured, the authentication service rejects requests originating from IP addresses outside the allowed range, even if the key itself is valid. This network-layer check runs before the key validation step, adding a defense-in-depth layer that stops compromised credentials from being used from unauthorized networks. Teams operating behind static IP ranges or VPN gateways should enable this feature as a standard security practice.
Environment Variable Configuration
The safest way to pass your OpenRouter API key to an application is through environment variables. Store the key in a .env file excluded from version control, then reference it in your code via the standard process.env mechanism or your language's equivalent. This approach keeps the credential out of source files, avoids accidental commits to public repositories, and makes key rotation a configuration change rather than a code change.
API Key Security Best Practices
Securing OpenRouter API keys requires a layered approach that spans key creation, storage, transmission, monitoring, and rotation. No single practice provides complete protection, but combining several techniques creates a security posture that resists common credential exposure vectors.
Key rotation should be automated where possible. Set expiration dates on production keys and use a secrets management service like HashiCorp Vault or AWS Secrets Manager to distribute new keys to running services. The OpenRouter dashboard supports instant key revocation, meaning you can rotate compromised credentials without service downtime by generating a replacement key, deploying it through your secrets pipeline, and revoking the old key in a single workflow.
Monitoring key usage through the OpenRouter analytics dashboard provides an early warning system for credential misuse. Unusual patterns — such as requests from unexpected geographic regions, sudden spikes in token consumption, or repeated 401 errors from a previously working key — warrant immediate investigation. The platform's usage logs include IP addresses, timestamps, and model identifiers for every request, giving security teams the forensic data needed to trace anomalous activity.
For organizations subject to compliance requirements, OpenRouter's security documentation aligns with frameworks referenced by the NIST Artificial Intelligence standards program, which provides guidance on secure AI system development and credential management. Reviewing these standards alongside the platform's own security controls helps teams build API integrations that satisfy both technical and regulatory requirements.
The Better Business Bureau recommends that businesses verify the security practices of any platform handling sensitive credentials before integrating it into production workflows — a due diligence step that the OpenRouter security architecture is designed to satisfy.
Common Key Exposure Vectors and How to Avoid Them
Hard-coded keys in source repositories represent the most frequent cause of credential leaks. Automated secret scanning tools can detect keys committed to public repositories within minutes, and malicious actors actively search for exposed API credentials. Using environment variables or a secrets manager eliminates this vector entirely. Client-side exposure — placing API keys in browser-accessible JavaScript or mobile application code — creates another common vulnerability. OpenRouter keys should only be used from server-side environments where the credential cannot be extracted by end users inspecting network traffic or application binaries.
The scoped API key system at OpenRouter transformed how we manage access across our engineering team. We issue read-only keys for our monitoring dashboards, spending-limited keys for our staging environment, and full-access keys only to our CI pipeline — all from a single account. When a contractor's laptop was lost, we revoked their scoped key in under thirty seconds without affecting any production workflow.Oskar Johansson — CTO, Aether Labs (Minneapolis, MN)
Frequently Asked Questions About API Access
How do I generate an OpenRouter API key?
Sign into your OpenRouter account, navigate to the API Keys section of the dashboard, and click Generate Key. Name your key for easy identification, select the permission scope, and the platform will display the key once. Store it securely — the full key string cannot be retrieved after the initial display for security reasons.
What authentication method does OpenRouter use?
OpenRouter uses Bearer token authentication over HTTPS for all API requests. Include your API key in the Authorization header of every request using the format Authorization: Bearer sk-or-... The platform requires TLS 1.3 for all API traffic and automatically rejects unencrypted connections with a connection reset.
Can I restrict a key to specific models?
Yes, scoped API keys can be restricted to specific model families or individual models. For example, you can create a key that only permits requests to Claude models or limits access exclusively to free-tier models. This granularity prevents accidental usage of expensive models and simplifies cost tracking across teams.
How should I store API keys in production?
Store API keys in environment variables or a dedicated secrets manager — never hard-code them in source files or commit them to version control. Use IP allowlisting for network-layer security, set key expiration dates for automated rotation, and monitor usage through the analytics dashboard to detect unauthorized access patterns early.
What happens when my API key expires or is revoked?
Expired or revoked keys immediately return HTTP 401 Unauthorized responses for all API requests. The OpenRouter platform processes key revocation synchronously — once you click revoke in the dashboard, the key becomes invalid within seconds across all platform services. Generate a replacement key with equivalent permissions to restore service.
Ready to Generate Your First API Key?
Create a free OpenRouter account and start building with access to every major AI model through a single, secure integration.
Get Started Now