Authentication
any-llm-gateway offers two authentication methods, each designed for different use cases. Understanding when to use each approach will help you secure your gateway effectively.
Authentication Methods Overview
| Method | Best For | Key Management | Usage Tracking |
|---|---|---|---|
| Master Key | Internal services, admin operations, trusted environments | Single key with full access | Requires manual user specification |
| Virtual API Keys | External apps, per-user access, customer-facing services | Multiple scoped keys | Automatic per-key tracking |
Master Key
The master key is the root credential for your gateway installation. It has unrestricted access to all gateway operations and should be treated with the same security as your production database credentials.
Generating a Master Key
Generate a cryptographically secure master key (minimum 32 characters recommended):
Example output:
Set the generated key in your configuration:
Using environment variables:
Using config.yml:
Creating a User
curl -X POST http://localhost:8000/v1/users \
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}" \
-H "Content-Type: application/json" \
-d '{"user_id": "user-123", "alias": "Alice"}'
With optional metadata
Making Requests with Master Key
When using the master key, you must specify which user is making the request using the user field:
curl -X POST http://localhost:8000/v1/chat/completions \
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}" \
-H "Content-Type: application/json" \
-d '{
"model": "openai:gpt-4o-mini",
"messages": [{"role": "user", "content": "Write a haiku on Jupiter"}],
"user": "user-123"
}'
user field tells the gateway which user's budget and spend tracking to update. Without this field, the request will be rejected.
Virtual API Keys
Virtual API keys provide scoped access for making completion requests without exposing the master key. Each virtual key can have expiration dates, metadata, and associated users for automatic usage tracking.
Creating a Virtual API Key
Create a virtual key with a descriptive name :
curl -X POST http://localhost:8000/v1/keys \
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}" \
-H "Content-Type: application/json" \
-d '{"key_name": "mobile-app"}'
Important: Save the
keyvalue immediately—it's only shown once and cannot be retrieved later.
Example Response
Key with Expiration
Create a key that automatically expires on a specific date:
curl -X POST http://localhost:8000/v1/keys \
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}" \
-H "Content-Type: application/json" \
-d '{
"key_name": "trial-access",
"expires_at": "2025-12-31T23:59:59Z"
}'
Using Virtual API Keys
Making requests with a virtual key is simpler than using the master key—no user field is required:
curl -X POST http://localhost:8000/v1/chat/completions \
-H "X-AnyLLM-Key: Bearer gw-..." \
-H "Content-Type: application/json" \
-d '{"model": "openai:gpt-5-mini", "messages": [{"role": "user", "content": "Write a haiku on Saturn"}]}'
The gateway automatically tracks usage based on the virtual key used.
Managing Virtual Keys
List All Keys
List all keys:
Deactivate a key:
curl -X PATCH http://localhost:8000/v1/keys/<virtual_key_id>\
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}" \
-H "Content-Type: application/json" \
-d '{"is_active": false}'
Delete a key:
curl -X DELETE http://localhost:8000/v1/keys/<virtual_key_id> \
-H "X-AnyLLM-Key: Bearer ${GATEWAY_MASTER_KEY}"
See API Reference for complete key management operations.
Note: The actual key values are never returned in list or get operations for security reasons.
Next Steps
Now that you understand authentication, explore these related topics:
- Budget Management - Set spending limits for users and enforce budgets
- Configuration - Learn about provider setup and pricing configuration
- API Reference - Explore all available endpoints for managing keys and users
- Quick Start - Complete walkthrough of setting up your first gateway
For questions or issues, refer to the troubleshooting guide or check the project's issue tracker.