Manage keys in code, not the console
A single Provisioning Key lets you create, update, list, and revoke Service Account Keys over a simple REST API-no dashboard clicks, no human in the loop.
Provisioning Keys
Manage every API key programmatically
Provisioning Keys give Organization Owners full-lifecycle control over Service Account Keys-create, update, list, and revoke non-user-bound keys over a simple REST API, each scoped with its own models, budgets, rate limits, and expiry.
No credit card required · Free to start
POST /prod/createServiceKey
cURL# Authorization: Bearer PROVISIONING-KEY
{
"api_key_name": "ci-pipeline",
"project_name": "Production",
"models": ["openai/gpt-5.5"],
"credit_limit": 150,
"reset_budget_interval": "daily",
"tags": ["ci", "prod"]
}
Response201 Created
api_keysk-fr-••••a91c
api_key_id_hashh_8f2c••4d7b
Why Provisioning Keys
Key management that runs itself
Hand the busywork of issuing, scoping, and retiring API keys to your own code-while high-privilege control stays with Organization Owners.
Built for automation, not people
Service Account Keys are non-user-bound, so CI/CD pipelines, agents, and customer environments each get credentials that outlive any single teammate.
Guardrails on every key
Scope accessible models, credit limits, TPM and RPM, expiry, metadata, and tags at creation-then change them anytime with one update call.
Lifecycle
One key for the entire key lifecycle
A Provisioning Key authenticates every call to the key-management API. Create scoped Service Account Keys, update or rotate them as needs change, and revoke them the moment they're done-all programmatically.
Authorize
Provisioning Key
Bearer PROVISIONING-KEY
- Organization Owners issue one high-privilege key.
- Authenticates every key-management call.
Create
Mint a scoped key
POST /createServiceKey
- Set models, budget, rate limits, and tags.
- Returns the secret key and a one-way hash.
Update / rotate
Adjust on the fly
POST /updateServiceKey
- Change limits, models, or expiry by hash.
- Rotate by minting a replacement key.
Revoke
Retire a key
POST /deleteServiceKey
- Delete by hash the moment access ends.
- No orphaned credentials left behind.
Programmatic control
Create and govern keys from a REST API
Drive the full key lifecycle from your own backend. Four endpoints handle everything, each authenticated with your Provisioning Key as a Bearer token.
Four REST endpoints
createServiceKey, getServiceKeys, updateServiceKey, and deleteServiceKey cover create, list, update, and revoke.
Keys returned with a hash
createServiceKey returns the secret key plus a one-way api_key_id_hash you reference for every later update or deletion.
Minimal required fields
Only org_id, project_id, project_name, and api_key_name are required-everything else is optional and configurable later.
Provisioning API
- POST
/createServiceKey
Mint a new scoped key
- GET
/getServiceKeys
List every service key
- POST
/updateServiceKey
Change limits, models, tags
- POST
/deleteServiceKey
Revoke a key by hash
Authorization: Bearer PROVISIONING-KEY
Scoped guardrails
Every key ships with its own limits
Attach guardrails at creation so each Service Account Key stays inside the budget, models, and rate limits you intend-with metadata and tags for organization.
Budgets with resets
Set a credit_limit and a daily, weekly, or monthly reset_budget_interval, or leave it unlimited.
Model & rate scoping
Restrict accessible models and cap tokens-per-minute and requests-per-minute on each individual key.
Expiry, metadata & tags
Schedule expiration, attach custom metadata like team or deployment, and tag keys to filter by project or environment.
ci-pipeline
Models
GPT-5.5+3
Credit limit
$150 / daily
TPM
10k
RPM
10
Expires
2025-03-28
Tags
ciprod
metadata: { team: platform, env: prod }
Fleet management
See and govern every key from one place
List the keys your Provisioning Key manages, group them by tags and metadata, and rotate or revoke any of them the instant access should end.
Non-user-bound inventory
Service Account Keys aren't tied to a person, so departures and role changes never strand a credential.
Rotate by replacement
Mint a fresh key, cut traffic over, then delete the old one by its hash-rotation without downtime.
Revoke instantly
Call deleteServiceKey with the key's hash to retire it immediately, leaving no orphaned access behind.
Service account keys
Managed via provisioningci-pipeline
cisk-fr-••••a91c
Active$42 / $150billing-export
cronsk-fr-••••7d20
Active$8 / $50acme-tenant
customersk-fr-••••3f9b
Active$310 / $500legacy-batch
batchsk-fr-••••1c4e
Revoked—
4 keys · non-user-boundAuditable
Provisioning Key vs Service Account Key
Two keys, two clearly separated jobs
Provisioning Keys manage the lifecycle of your keys; Service Account Keys carry the guardrails and run your workloads. Here's exactly how they differ.
| Capability | Provisioning KeyManages keys | Service Account KeyRuns workloads |
|---|---|---|
| Purpose | ||
| Create, update, list & revoke API keys | Included | Not included |
| Authenticate model & inference requests | Not included | Included |
| Non-user-bound, built for automation | Included | Included |
| Per-key guardrails | ||
| Scoped model access | Not included | Included |
| Credit limit & budget reset | Not included | Included |
| TPM & RPM rate limits | Not included | Included |
| Expiry, metadata & tags | Not included | Included |
| Access | ||
| Managed over REST API | Included | Included |
| Restricted to Organization Owners | Included | Not included |
Provisioning Keys are the management plane: Organization Owners use them to mint and govern Service Account Keys, which carry the model, budget, rate-limit, and expiry guardrails. Provisioning Keys cannot call models.
Use cases
Built for teams that manage keys at scale
From CI/CD pipelines to per-customer environments, Provisioning Keys turn API key management into a few lines of code.
Automate API key management
Issue and retire keys straight from your backend-onboard a workload, provision its key, and clean it up automatically when it's done.
Credential CI/CD pipelines
Give build, test, and deploy stages non-user-bound Service Account Keys that no single teammate owns and that you can rotate on a schedule.
Per-customer & per-environment keys
Mint a scoped key for every tenant, customer, or environment, each with its own models, budget, and tags for clean separation.
Govern usage & budgets at scale
Set model scopes, credit limits, and rate limits at creation, then tighten or rotate them later with a single update call.
FAQ
Provisioning Keys, explained
A Provisioning Key is a high-privilege, organization-level credential that lets you create, update, list, and revoke FastRouter Service Account Keys over a REST API. Only Organization Owners can generate and manage Provisioning Keys, and they're built for automating key management-not for calling models.
No. Provisioning Keys cannot call model endpoints or route completions. They exist solely to manage the lifecycle of Service Account Keys. Use the Service Account Keys a Provisioning Key creates for your actual inference requests.
A Provisioning Key is the management plane: it creates and governs keys. A Service Account Key is the credential your applications, agents, and pipelines use to call models. Service Account Keys are non-user-bound and carry their own model scopes, credit limits, rate limits, expiry, metadata, and tags.
Four REST endpoints under https://api.fastrouter.ai/prod: createServiceKey, getServiceKeys, updateServiceKey, and deleteServiceKey. Each request authenticates with your Provisioning Key as a Bearer token, and createServiceKey returns the secret Service Account Key alongside a one-way hash.
At creation you must provide org_id, project_id, project_name, and api_key_name. You can optionally set credit_limit, reset_budget_interval, expire_key, models, tpm_limit, rpm_limit, metadata, and tags-and change any of them later with updateServiceKey.
Every createServiceKey response includes a one-way hash (api_key_id_hash). Pass that hash to updateServiceKey to change a key's settings, or to deleteServiceKey to revoke it. To rotate, mint a replacement key and delete the old one. Store your Provisioning Key and the returned hashes securely-the Provisioning Key has high privileges.
Automate your API key lifecycle
Generate a Provisioning Key, mint your first Service Account Key, and put key management on autopilot-in minutes.