API key management

Keep proxy access workspace-scoped, revocable, and separate from providers

ThrottleProxy keys authenticate applications to the proxy. Creation requires a verified user with the right workspace role, lookup is exact and constant-time, and deactivation invalidates cached configuration.

Verified creationRole protectedRevocable access

Practical boundaries

Treat every key as narrow operational access

Verified creator

Live key creation requires an authenticated user with a verified email.

Workspace permission

Only Owner, Admin, and Developer roles can create or deactivate proxy keys.

One-time display

The raw key is created for the caller while storage uses a hash rather than the reusable credential.

Exact lookup

Authentication hashes the presented key and performs one exact Redis config lookup without keyspace scans.

Tenant-scoped mutation

Deactivation includes the authorized workspace in the mutation query, so foreign object IDs return not found.

Cache invalidation

Deactivation removes the exact cached configuration entry so stale access is not left active.

Good fit

  • Separate keys for applications or environments with clear owners.
  • Small key inventories that can be reviewed and revoked quickly.
  • Teams that distinguish proxy authentication from provider credentials.

Not a replacement for

  • A provider credential vault or automatic secret injection.
  • Sharing one raw key across unrelated applications and workspaces.
  • A reason to place credentials in URLs, logs, tickets, or browser storage.

Common questions

Is a ThrottleProxy key the same as an OpenAI or Stripe key?

No. It authenticates the caller to ThrottleProxy and is stripped before forwarding. Provider credentials are a separate concern.

Who can create keys?

The server requires an active Owner, Admin, or Developer membership plus a verified email.

What happens when a key is deactivated?

The workspace-scoped database row is deactivated and its exact Redis configuration entry is invalidated.

Start with one narrow integration

Use one workspace key, one exact public host, and non-sensitive test traffic.

Open quick start