How it works
1
Generate a key
Create a key in the dashboard under API Keys. Each key has a unique prefix (
sk-aisa-...) and is shown once — copy it immediately to a secure store.2
Send it as a Bearer token
Include the key in every request’s
Authorization header:3
Get charged per request
Every call deducts from your workspace wallet. Usage and cost appear in Usage Logs in real time.
Authenticating with SDKs
Because AIsa is OpenAI-compatible, the official OpenAI SDKs work by swappingbase_url and api_key:
Key lifecycle
Creating keys
- Navigate to console.aisa.one → API Keys.
- Click Create Key, give it a label (e.g.,
prod-web-app,ci-tests), and copy the value. - Create one key per deployment environment — separate keys for dev, staging, prod, and each service. This makes rotation and revocation surgical.
Scoping and quotas
On the key creation form you can optionally set:- Spend cap — maximum USD the key can charge per day/week/month. When hit, subsequent requests return
429 quota_exceeded. - Rate-limit overrides — lower the default RPM/TPM below your account tier for a specific key.
- Model allowlist — restrict the key to specific models (e.g., only
gpt-5-minifor a cost-sensitive internal tool).
Rotating keys
Rotate keys at least every 90 days, or immediately if you suspect exposure.1
Create a new key
Generate a new key with the same label + a version suffix (e.g.,
prod-web-app-v2).2
Deploy the new key
Push the new key to your secret manager. Wait for the deployment to roll out across every instance.
3
Revoke the old key
Once you’ve verified no requests are still using the old key (check Usage Logs filtered by key), revoke it in the dashboard.
Revoking keys
If a key leaks, revoke it immediately in the dashboard. Revocation is instant — the next request with that key returns401 revoked_api_key. Always revoke before investigating.
Storing keys securely
Local development
Local development
Use a
.env file and a loader like python-dotenv or dotenv (Node). Add .env to .gitignore.CI/CD
CI/CD
Store the key as a secret in your CI provider (GitHub Actions, GitLab CI, CircleCI). Reference it as an environment variable in the workflow.Use a dedicated
ci-tests key with a low spend cap so a runaway test can’t drain the wallet.Cloud deployments
Cloud deployments
Use your cloud provider’s secret manager:
- AWS: Secrets Manager or Systems Manager Parameter Store
- GCP: Secret Manager
- Azure: Key Vault
- Fly/Render/Railway: the platform’s built-in env var encryption
Client-side apps
Client-side apps
Never ship an API key in a browser, mobile app, or any client the user can inspect. Always route through a backend proxy you control.If you need to call AIsa from a client, build a server-side endpoint that:
- Validates the caller (user auth)
- Applies per-user rate limits
- Forwards to AIsa with your server-held key
Best practices
- One key per service — never share keys across apps
- Scope narrowly — use model allowlists and spend caps to blast-radius any leak
- Rotate on a schedule — at minimum every 90 days; immediately on personnel change
- Monitor usage logs — unusual spikes often appear in Usage Logs before billing alerts
- Set quota alerts — configure daily/weekly spend thresholds in Settings
- Prefer SSO for dashboard access so revocation propagates from your identity provider
Related
Security
Data retention, transport security, and third-party provider handling.
Error Codes
401, 403, and other auth-related responses.
Rate Limits
RPM, TPM, and concurrency caps per tier.
Getting Started
Make your first authenticated request.