LLM API key management
for modern teams
Provision scoped, trackable, revocable vendor API keys β without a proxy. One leaked key used to mean full org exposure. Not anymore.
One shared key = full org exposure
Your org has one OpenAI key shared across 100+ developers. No audit trail, no per-developer budgets, no way to revoke one person without rotating for everyone.
Real keys, scoped per developer
KeyGate uses vendor Admin APIs to create scoped projects/workspaces per developer and issue real API keys. Developers talk directly to the vendor β no proxy, no latency, no SDK changes.
Real Vendor Keys
Not proxy tokens. Developers use real keys directly with vendor SDKs β no SDK changes, no added latency.
Per-Developer Scoping
Each key lives in its own vendor project or workspace, perfectly isolated from other team members.
Budget Controls
Set per-developer USD spending limits enforced at the vendor level. No surprise bills ever.
Rate Limiting
Per-key RPM limits enforced by the vendor. Protect shared quotas from runaway scripts.
Key Rotation
One-click rotate: revoke old, provision new for the same developer. Zero downtime handoff.
Audit Log
Every provision, revoke, rotate, and config change is immutably logged with actor and timestamp.
Multi-Vendor
OpenAI, Anthropic, Azure OpenAI, Google Vertex AI β all from one unified dashboard.
Docker-Ready
One command to run the full stack in production. Deploy to AWS, GCP, Azure, or Kubernetes.
API Reference
Base URL: http://localhost:8000 Β· Swagger: /docs Β· ReDoc: /redoc
Authentication
All endpoints except /health and /api/v1/auth/login require a JWT bearer token in the Authorization header.
# Get a token
curl -X POST http://localhost:8000/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "admin@keygate.dev", "password": "changeme"}'
# Use the token
curl -H "Authorization: Bearer <token>" http://localhost:8000/api/v1/developersAuth
Authenticate with email and password to receive a JWT bearer token.
Request Body
{ "email": "admin@keygate.dev", "password": "changeme" }{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "bearer" }Vendors
Store or update admin API credentials for a vendor. Credentials are encrypted at rest.
openai, anthropic, azure_openai, google_vertex
Request Body
org-... for OpenAI).{
"vendor": "openai",
"admin_api_key": "sk-admin-abc123...",
"org_id": "org-XXXXXXXX"
}Returns all configured vendors. Admin keys are masked β only a hint is returned.
Developers
"default"."developer".{ "name": "Priya Sharma", "email": "priya@company.com", "team": "ml" }true.Deactivates the developer and immediately revokes all their active API keys at the vendor level.
Keys
The core endpoint. Creates a scoped vendor project/workspace and provisions a real API key. The key is returned exactly once.
The api_key is shown exactly once. Copy it immediately β it's never stored in full by KeyGate.
Request Body
openai, anthropic, azure_openai, google_vertex50.0.60.90.["gpt-4","gpt-4o"].{
"developer_id": "dev-abc123",
"vendor": "openai",
"budget_limit_usd": 100,
"rate_limit_rpm": 120,
"expires_in_days": 90,
"models_allowed": ["gpt-4", "gpt-4o"],
"description": "GPT-4 for ML experiments"
}{
"key_id": "key-xyz789",
"vendor": "openai",
"api_key": "sk-proj-...",
"key_hint": "sk-proj-...7xKm",
"project_name": "keygate-ml-priya-a3f2c1",
"budget_limit_usd": 100,
"expires_at": "2026-06-22T08:00:00+00:00",
"instructions": {
"base_url": "https://api.openai.com/v1",
"auth_header": "Authorization: Bearer <your-key>"
}
}Returns key metadata. Full key values are never included.
"active".Calls the vendor API to delete/disable the key, then marks it revoked locally. Revocation is immediate at the vendor level.
Atomically revokes the existing key and provisions a fresh one for the same developer and vendor. Response identical to POST /keys/provision.
Audit & System
Immutable log of all provisioning, revocation, and configuration events.
50.key.provision.Liveness probe for load balancers and container orchestrators.
{ "status": "healthy", "service": "keygate", "version": "0.1.0" }Clone and configure
Clone the repository and copy the example environment file.
git clone https://github.com/Aakashbhardwaj27/keygate.git
cd keygate && cp .env.example .envEdit .env with required values
SECRET_KEY=$(openssl rand -hex 32)
ADMIN_EMAIL=admin@yourcompany.com
ADMIN_PASSWORD=<strong-password>
DB_PASSWORD=<strong-password>
OPENAI_ADMIN_KEY=sk-admin-...Start the stack
docker compose up -d
# Dashboard β http://localhost:3000
# API docs β http://localhost:8000/docsConfigure a vendor & provision your first key
Log in, add your vendor admin key, register a developer, click Provision Key. Copy the key β it's shown exactly once.
Configuration Reference
Deployment Options
Docker Compose
One command to run the full stack with Postgres and Nginx included.
AWS ECS + RDS
ECS services backed by RDS PostgreSQL with Application Load Balancer for HTTPS.
GCP Cloud Run
Serverless containers with Cloud SQL. Perfect for variable load workloads.
Kubernetes
Kubernetes manifests included. Helm chart on roadmap for v0.2.0.
Initial Release π
NEWNEWNEW- OpenAI provisioner β Project + Service Account per developer
- Anthropic provisioner β Workspace + API Key per developer
- Azure OpenAI provisioner β Cognitive Services resource per developer
- Google Vertex AI β Service Account + IAM binding per developer
- Full audit log with actor, timestamp, event details
- JWT authentication with configurable expiry
- Key rotation (revoke old + provision new atomically)
- Workspace and team management
- Docker Compose production stack
- React dashboard frontend
Upcoming
- Prometheus
/metricsendpoint - SSO/SAML integration (Okta, Auth0, Google Workspace)
- Self-service developer portal with approval flows
- Spend tracking via vendor usage APIs
- Slack/Teams notifications on key events
- Helm chart for Kubernetes
- CLI:
keygate provision --vendor openai --dev priya - Webhook support for key lifecycle events