Skip to main content

API key format

ModelRoute API keys follow the format:
Total length: 76 characters. The sk_ prefix identifies it as a secret key. The trailing 8-character CRC32 checksum allows client-side format validation before making a network request. Example:

Using your API key

Include your key in the Authorization header as a Bearer token on every request:

Creating API keys

  1. Log in to app.modelroute.ai
  2. Navigate to Settings > API Keys
  3. Click Create Key
  4. Choose a permission level and label
  5. Copy the full key — it is shown only once
You can create a maximum of 20 API keys per organization. Revoke unused keys to free up slots.

Permission levels

Use execution-only keys in production applications. Reserve full-access keys for admin scripts and automation.

Key rotation

Rotate a key to generate a new secret while keeping the same key ID and permissions:
Response:
The old key remains valid for 1 hour after rotation to allow zero-downtime migration.

Rate limiting

Every API response includes rate limit headers: When you exceed the rate limit, the API returns 429 Too Many Requests with the RATE_LIMITED error code:
Use the X-RateLimit-Reset header to determine when to retry. Implement exponential backoff for production systems.

Security best practices

API keys are server-side secrets. Never embed them in JavaScript bundles, mobile apps, or public repositories. Use a backend proxy to make ModelRoute API calls.
Store keys in environment variables or a secrets manager (e.g., AWS Secrets Manager, GCP Secret Manager). Never hardcode keys in source files.
Use execution-only keys for services that only run executions. Keep full-access keys for admin operations only.
Rotate keys every 90 days or immediately if a key is compromised. The 1-hour grace period on rotation ensures zero downtime.
If a key is leaked, revoke it from the dashboard immediately. Revocation is instant — the key stops working on the next request.