Skip to content

Configure Inbound Authentication

The Security tab on both LLM Providers and LLM Proxies controls how client applications authenticate when calling the deployed gateway endpoint. This is called inbound authentication — the key that your application sends to the gateway, as opposed to the upstream API key the gateway uses to call the LLM provider (configured in the Connection tab).

How It Works

When a provider or proxy is deployed, the gateway enforces inbound authentication on every incoming request. Clients must include a valid API key in the location and under the name you configure in the Security tab.

The API key itself is generated by the AI Workspace (shown once at creation, valid for 90 days). The Security tab controls where and under what name the client must send it.

Security Tab Fields

Field Description
Authentication Authentication type. Currently apiKey is the only supported option.
API Key / Key name The name of the header or query parameter that must carry the API key. Defaults to X-API-Key.
Key Location / Sent in Whether the key is expected in a request header or as a query parameter. Defaults to header.

Default Behaviour: X-API-Key Header

Out of the box, the gateway expects the API key in the X-API-Key request header:

X-API-Key: <your-api-key>

Most AI SDKs do not send this header automatically, so you need to add it explicitly when initialising the client. See Invoke via SDKs for code examples.

Using a Custom Header Name

You can change the key name to match what your SDK sends natively. For example, setting the key name to Authorization allows clients to pass the key as a Bearer token:

Authorization: Bearer <your-api-key>

SDKs such as the OpenAI SDK, Mistral SDK, and Azure OpenAI SDK all send an Authorization: Bearer header by default, so with this configuration they work without any additional header setup.

Note

The gateway validates the key value regardless of prefix — it strips a leading Bearer before comparing against the stored key.

Sending the Key as a Query Parameter

If you set Key Location to query, clients append the key to the request URL instead:

https://<gateway-host>/<context>?<key-name>=<your-api-key>

This is useful in environments where setting custom request headers is not straightforward.

Steps to Configure

  1. Open your LLM Provider or LLM Proxy and go to the Security tab.
  2. Set the API Key / Key name field to the header or query parameter name your application will use.
  3. Set Key Location / Sent in to header or query as appropriate.
  4. Click Save.
  5. Deploy to Gateway — security changes take effect only after redeployment.