Skip to main content
Two keys travel with every request, and they are not interchangeable.
Your provider key is forwarded to the provider verbatim and never stored. Toolken keeps only a one-way hash of your Toolken key.
If a key starts with sk-, it is a provider key. It never goes in X-Toolken-Key.

Two keys, two jobs

Toolken key

tk_live_...Sent in X-Toolken-Key.Authenticates you to Toolken. Create and revoke in the dashboard.

Provider key

sk-... / sk-ant-...Sent in Authorization: Bearer (OpenAI-compatible) or x-api-key (Anthropic).Your existing provider key. Forwarded untouched.

Where each key goes

Toolken reads and strips its own X-Toolken-* headers before forwarding. Everything else, including your provider auth, passes through unchanged.

Managing keys

  • A key’s full value is shown once at creation. Store it securely.
  • Toolken keeps only a one-way hash. The raw value is never stored.
  • Revoking a key takes effect within about a minute.
Rotate without downtime using these steps:
1

Create a new key

Go to the dashboard under API Keys and generate a new Toolken key.
2

Deploy it

Update your app or service to send the new key in X-Toolken-Key.
3

Revoke the old one

Delete the previous key from the dashboard. It stops working within about a minute.
Use a separate key per environment or service so you can attribute and revoke them independently.
Signing in to the dashboard is separate from your Toolken API key. The API key is only for routing traffic through the gateway.

When authentication fails

See Troubleshooting for the full list.

What’s next

Observability

See what the two keys buy you: cost, usage, and performance per agent, feature, and customer.

Quickstart

Make your first request.