API Keys

API keys are the primary way to authenticate programmatic requests to the SolRouter API. Every request made to https://api.solrouter.io/ai must include a valid API key.

What is an API key?

An API key is a secret token that identifies your account when making requests to the SolRouter API. Every SolRouter API key starts with the prefix sr_ followed by a randomly generated string, for example:

sr_a8f3k2p9qx7rnv4t1mbwzc6yjdshe05

Security properties of API keys:

• Keys are never stored in plaintext on SolRouter servers. Immediately after creation, the key is hashed with SHA-256 and only the hash is persisted. This means SolRouter itself cannot retrieve or display your key after creation.
• Keys are scoped to your account balance — a compromised key cannot access your personal data, billing details, or account settings.
• Keys can be revoked instantly from the dashboard at any time.
• All API traffic is encrypted over TLS 1.2 / 1.3 in transit.

Important: Because only the SHA-256 hash of your key is stored, SolRouter cannot show you the key again after you close the creation dialog. Copy and save your key immediately.

Creating an API key

1. Sign in to your account at solrouter.io
2. Open the Account page from the navigation menu
3. Click the API Keys tab
4. Click the Create key button
5. Enter a descriptive name for the key (see naming conventions below)
6. Click Create — the full key is displayed once in a modal
7. Copy the key and store it somewhere safe (a password manager, a secrets vault, or your .env file)

Once you dismiss the modal, the key cannot be retrieved again. If you lose it, revoke the old key and create a new one.

Naming conventions

Give every key a name that makes it immediately obvious which project, environment, or service it belongs to. This makes auditing and rotation much easier.

Avoid vague names like key1, test, or default — when you have multiple keys, these become impossible to distinguish.

Using a key in requests

Pass your API key in the Authorization header of every request using the Bearer scheme:

Authorization: Bearer sr_YOUR_API_KEY

TypeScript / JavaScript (OpenAI SDK)

import OpenAI from "openai";

const client = new OpenAI({
  baseURL: "https://api.solrouter.io/ai",
  apiKey: process.env.SOLROUTER_API_KEY, // sr_...
});

const completion = await client.chat.completions.create({
  model: "openai/gpt-4o-mini",
  messages: [{ role: "user", content: "Hello!" }],
});

console.log(completion.choices[0].message.content);

TypeScript / JavaScript (fetch)

const response = await fetch("https://api.solrouter.io/ai/chat/completions", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.SOLROUTER_API_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    model: "openai/gpt-4o-mini",
    messages: [{ role: "user", content: "Hello!" }],
  }),
});

const data = await response.json();
console.log(data.choices[0].message.content);

Python (OpenAI SDK)

from openai import OpenAI
import os

client = OpenAI(
    base_url="https://api.solrouter.io/ai",
    api_key=os.environ["SOLROUTER_API_KEY"],  # sr_...
)

completion = client.chat.completions.create(
    model="openai/gpt-4o-mini",
    messages=[{"role": "user", "content": "Hello!"}],
)

print(completion.choices[0].message.content)

Python (httpx / requests)

import httpx
import os

response = httpx.post(
    "https://api.solrouter.io/ai/chat/completions",
    headers={
        "Authorization": f"Bearer {os.environ['SOLROUTER_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "model": "openai/gpt-4o-mini",
        "messages": [{"role": "user", "content": "Hello!"}],
    },
)

data = response.json()
print(data["choices"][0]["message"]["content"])

curl

curl https://api.solrouter.io/ai/chat/completions \
  -H "Authorization: Bearer $SOLROUTER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Key shown only once

Warning: The full API key is displayed exactly once — in the creation modal immediately after you create it. After you close the modal, SolRouter stores only the SHA-256 hash and the key itself is permanently unrecoverable.

If you lose a key, the only option is to revoke it and create a new one.

Recommended workflow after creating a key:

1. Copy the key from the modal
2. Open your .env file (or secrets manager) and paste the key immediately
3. Verify it works with a quick test request before closing the modal
4. Only then dismiss the dialog

Revoking a key

Revoking a key is instant and irreversible. Once revoked, any request using that key returns a 401 Unauthorized error.

To revoke a key:

1. Open Account → API Keys
2. Find the key you want to revoke
3. Click the Revoke button next to it
4. Confirm the action

Revoking one key has no effect on any other keys. If you suspect a key has been leaked, revoke it immediately — there is no need to rotate your entire account.

How many keys can I have?

There is no hard limit on the number of API keys you can create. You are encouraged to create one key per project, service, or environment rather than sharing a single key across everything.

Benefits of using multiple keys:

• Blast radius containment — if one key leaks, only that project is affected
• Easier auditing — usage logs are tagged by key name, so you can see which project consumed which tokens
• Instant isolation — revoke a specific project's access without touching anything else
• Environment hygiene — different keys for production, staging, and dev prevent accidental cross-environment usage

What a key can and cannot do

Keys are intentionally narrow in scope. Possessing a key grants access only to the API surface, not to your account.

Next steps

• Security Best Practices — environment variables, secrets managers, and what to do if a key leaks
• Session Tokens — how the web UI authenticates with short-lived JWT cookies
• Quickstart — make your first API request
• Environment Setup — load keys safely with .env files and platform secrets