Virtual keys
Generate API keys for developers to access the gateway with any OpenAI-compatible SDK.
Overview
Virtual keys are API keys you hand out to developers so they can send LLM requests through the gateway with any OpenAI-compatible SDK. No VerifyWise account required. Your guardrails, budgets, and audit logs still apply to every request; the developer doesn't need to think about any of that.
They're useful when you want application teams or external services to hit your LLM endpoints while you keep control over what gets spent, what content gets through, and what gets logged.
Creating a virtual key
- Open the Virtual keys page from the AI Gateway sidebar.
- Click Create key.
- Give it a name that tells you what it's for (e.g., "chatbot-prod" or "analytics-team").
- Optionally set a monthly budget, rate limit (RPM), and expiry date.
- Click Create. The full key appears once.
- Copy it now. You won't see it again.
Using a virtual key
Point any OpenAI-compatible SDK at the gateway URL and use the virtual key as the API key. The model field is the endpoint slug you set up on the Endpoints page.
from openai import OpenAI
client = OpenAI(
base_url="https://your-verifywise-host/v1",
api_key="sk-vw-your-virtual-key-here",
)
response = client.chat.completions.create(
model="my-endpoint-slug", # matches the endpoint slug in VerifyWise
messages=[
{"role": "user", "content": "Summarize this document."}
],
)
print(response.choices[0].message.content)Key format and security
Keys follow the format sk-vw- plus 32 hex characters. Only the SHA-256 hash is stored in the database. The plaintext is shown once at creation and can't be recovered after that.
- Prefix:
sk-vw-identifies it as a VerifyWise virtual key - Storage: SHA-256 hash only; the raw key is never persisted
- Lost key?: Revoke the old one and create a new key. There's no recovery.
Budget controls
Each key can have its own monthly spending cap. When a key hits its limit, only that key gets blocked. Other keys, Playground users, and the rest of the gateway keep running.
- Reset: Budgets reset on the 1st of each month
- Scope: Per-key, separate from endpoint or org-wide budgets
- Notifications: Admins get an email when a key's budget runs out
- Response: A budget-exhausted key gets a 429 with a message explaining why
Rate limiting
You can set a requests-per-minute (RPM) cap on each key. It uses a Redis sliding window, so it handles bursts correctly.
- Key-level and endpoint-level RPM limits are independent; both get enforced
- Over-limit requests get a 429 response with a clear error message
- If you don't set a key RPM, only the endpoint limit applies
Revoking and deleting
Revoking
Revoking a key kills it immediately but keeps the record. A revoked_at timestamp gets saved and the key stays in the database. Use this when you need to cut off access but want the usage history for audits.
Deleting
Deleting permanently removes a revoked key. You can only delete keys that have already been revoked. Use this to clean up old keys you don't need anymore.
Monitoring usage
Virtual key requests are tracked the same way as logged-in user requests:
- Logs: Virtual key requests show the key name instead of a user name, so you can tell programmatic traffic apart at a glance
- Spend: Cost per key is visible in the virtual keys list next to the remaining budget
- Analytics: Virtual key traffic shows up in the Analytics charts alongside everything else