API Key Management

API Key Management is a core security and governance feature of AI Controller that provides centralized control over authentication for both external LLM service providers and applications integrating with AI Controller.

API Key Management Overview

AI Controller handles two distinct types of API keys:

Provider API Keys: Secure credentials for accessing external LLM services (OpenAI, Anthropic, Azure OpenAI, etc.)
AI Controller API Keys: Application-specific keys generated for authenticating with the AI Controller platform

This dual-key architecture creates a secure abstraction layer that enhances security, simplifies management, and provides granular control over your LLM interactions.

%%{init: {'theme': 'base', 'themeVariables': { 'darkMode': false }}}%%
graph LR
    subgraph Applications
        A1[Web Application]
        A2[Mobile App]
        A3[Backend Service]
    end

    subgraph AIC["AIC (AIC)"]
        AICP[AIC Platform]
    end

    subgraph Providers["LLM Providers"]
        P1[OpenAI]
        P2[Anthropic]
        P3[Azure OpenAI]
        P4[Other Providers]
    end

    A1 -- "|AIC API Keys|" --> AICP
    A2 -- "|AIC API Keys|" --> AICP
    A3 -- "|AIC API Keys|" --> AICP

    AICP -- "|Provider API Keys|" --> P1
    AICP -- "|Provider API Keys|" --> P2
    AICP -- "|Provider API Keys|" --> P3
    AICP -- "|Provider API Keys|" --> P4

    style AICP fill:#f5f5f5,stroke:#333,stroke-width:2px,color:#333
    style Applications fill:#e1f5fe,stroke:#0277bd,stroke-width:1px,color:#333
    style Providers fill:#e8f5e9,stroke:#2e7d32,stroke-width:1px,color:#333
    style A1 color:#333
    style A2 color:#333
    style A3 color:#333
    style P1 color:#333
    style P2 color:#333
    style P3 color:#333
    style P4 color:#333

Diagram showing how AI Controller sits between applications and LLM providers, with API keys at both interfaces. For more details on this architecture, see Architecture Overview.

Provider API Keys

Provider API keys are the sensitive credentials required to access external LLM services. Instead of distributing these valuable keys across multiple applications or developers, AI Controller centralizes and secures them. For more information on how AI Controller connects to providers, see Managing LLM Providers.

Key Benefits of Centralized Provider Key Management

Enhanced Security: Provider keys are stored encrypted and never exposed to end users or applications
Single Point of Management: Add, update, or rotate provider keys without changing application code
Usage Visibility: Track and monitor usage across all applications using a single provider key
Cost Control: Prevent unexpected costs from unchecked provider key usage
Simplified Compliance: Easier audit and management of access to AI services

Provider Key Security

AI Controller implements multiple layers of security for provider keys:

Encryption at Rest: All provider keys are encrypted in the database using AES-256
Limited Access: Only administrators can modify provider keys
Key Verification: Keys can be verified upon entry to ensure they are valid

AI Controller API Keys

AI Controller API keys are the credentials that your applications, scripts, or services use to authenticate with the AI Controller platform. These keys provide a secure way to access AI Controller's capabilities without exposing provider credentials.

Key Components

Each AI Controller API key consists of the following components:

Component	Description
Key ID	A unique identifier for the key (e.g., `aic_12345`)
Name	Human-readable identifier for the key's purpose
User/Owner	The user account the key belongs to
Expiry Date	When the key becomes invalid
Permissions	Inherited from the user the key belongs to (the key can perform any actions the user is authorized to do)
Provider ID	Which provider the key will use

API Key Security Features

AI Controller implements several security measures for API keys, which are a critical component of the overall security model:

Hashed Storage: Keys are stored as cryptographic hashes, not in plaintext
User-based Permissions: Keys inherit permissions from the user they belong to
Expiration: All keys have mandatory expiration dates
Instant Expiration: Keys can be invalidated immediately if compromised
Last Usage Tracking: The system records when an API Key was last used
Provider Restriction: Keys can be restricted to specific providers
Rate Limiting: API Keys are rate limited to prevent DDoS attacks, but not with a limit that would affect normal day-to-day usage

API Keys vs. User Authentication

It's important to understand the difference between these authentication methods:

API Keys	User Authentication
For application-to-AIC authentication	For human-to-AIC interface access
Long-lived (days to months)	Short-lived session (hours)
Typically used in automated services	Used in interactive sessions
Identified by key ID	Identified by username
Inherit permissions from associated user	Governed by user roles
Managed through Admin interface or through the 'My API Keys' page	Managed through user account settings

Access Control
Rules Engine
Security Model - Understand how API keys fit into AI Controller's security architecture
Models and Providers - Learn how provider API keys connect to LLM services

Updated: 2025-05-15

API Key Management