Authentication
API key types, scopes, rate limits, and authentication methods for the AllRoutes API.
Overview
AllRoutes uses API keys for authentication. Every request to the API must include a valid key in the Authorization header as a Bearer token.
Authorization: Bearer allroutes_sk_...
API Key Types
AllRoutes issues three types of API keys, each with a distinct prefix:
Secret Keys (allroutes_sk_)
Secret keys are the standard authentication method for server-side applications. They have full access to the API based on their configured scopes.
- Use for: Backend services, server-side applications, scripts
- Security: Never expose in client-side code or public repositories
- Example:
allroutes_sk_a1b2c3d4e5f6...
Public Keys (allroutes_pk_)
Public keys are designed for client-side applications with restricted permissions. They can only access a subset of endpoints and have stricter rate limits.
- Use for: Browser-based apps, mobile apps, public-facing clients
- Security: Safe to include in client-side bundles (with origin restrictions)
- Example:
allroutes_pk_x9y8z7w6v5u4...
Management Keys (allroutes_mgmt_)
Management keys provide access to administrative endpoints for managing your organization, keys, and billing.
- Use for: Automation scripts, CI/CD pipelines, admin dashboards
- Security: Treat with the same care as secret keys
- Example:
allroutes_mgmt_m1n2o3p4q5r6...
Creating API Keys
- Sign in to the AllRoutes Dashboard
- Navigate to Settings > API Keys
- Click Create New Key
- Configure the key:
- Name -- a human-readable label for identification
- Type -- secret, public, or management
- Scopes -- which API endpoints the key can access
- Rate Limits -- requests per minute (RPM) cap
- Budget -- daily and/or monthly spend limits in USD
- Allowed Models -- restrict to specific models (optional)
- Expiration -- set an expiry date (optional)
- Copy the key immediately -- it will not be shown again
Per-Key Scopes
Each key can be granted a subset of permissions:
| Scope | Description |
|---|---|
chat:completions | Create chat completions |
embeddings | Create embeddings |
models:read | List and view models |
keys:manage | Create, update, and delete API keys |
billing:read | View credit balance and transactions |
billing:write | Top up credits and manage subscriptions |
presets:read | List presets |
presets:write | Create, update, and delete presets |
cache:manage | Configure and purge cache |
providers:manage | Manage BYOK provider keys |
Rate Limits
Rate limits are enforced per key and can be configured when creating or updating a key.
| Plan | Default RPM | Default Daily Budget |
|---|---|---|
| Free | 60 RPM | $5/day |
| Pro | 600 RPM | $100/day |
| Enterprise | Custom | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 594
X-RateLimit-Reset: 1714000000
When a rate limit is exceeded, the API returns a 429 Too Many Requests response.
Budget Controls
Set spending limits per key to prevent runaway costs:
daily_budget_usd-- maximum spend per calendar daymonthly_budget_usd-- maximum spend per calendar month
When a budget is exhausted, requests return 402 Payment Required until the next period begins.
JWT Authentication (Dashboard)
The AllRoutes dashboard uses JWT-based authentication for browser sessions. JWTs are issued upon login and include:
- User identity and organization membership
- Session expiration (configurable)
- Refresh token rotation for long-lived sessions
JWTs are not used for API access -- use API keys for programmatic access.
Best Practices
- Rotate keys regularly -- delete old keys and create new ones periodically
- Use scoped keys -- grant only the permissions each service needs
- Set budgets -- always configure daily/monthly limits on production keys
- Use environment variables -- never hardcode keys in source code
- Monitor usage -- check the dashboard for unusual activity patterns
# Store your key in an environment variable
export ALLROUTES_API_KEY="allroutes_sk_..."
import os
from allroutes import AllRoutesClient
client = AllRoutesClient(api_key=os.environ["ALLROUTES_API_KEY"])
See Also
- Your First Request -- make your first API call
- API Keys Management -- programmatic key CRUD
- Billing & Credits -- manage your credit balance
- Guardrails -- enforce budget caps and compliance profiles per key
- Error Handling -- patterns for handling 401, 402, 429, and 5xx