Access keys authenticate every request to https://gateway.ngrok.ai. The AI Gateway validates each key before forwarding traffic. Upstream provider credentials are managed separately—see Access keys vs provider keys.
How it works
- Create an access key in app.ngrok.ai or via the AI Gateway API
- Send the key as
Authorization: Bearer ng-xxxxx-g1-xxxxx (OpenAI-compatible APIs) or x-api-key (Anthropic native API)
- The gateway validates the key on every request
- Invalid or missing keys are rejected—requests do not reach providers
from openai import OpenAI
client = OpenAI(
base_url="https://gateway.ngrok.ai/v1",
api_key="ng-xxxxx-g1-xxxxx" # Your access key
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello!"}]
)
The AI Gateway replaces your access key with provider credentials from your configuration before forwarding to the upstream provider.
Per-client keys
Create separate access keys for each client or application:
- Revoke one client without affecting others
- Track usage per key
- Assign different configurations to limit scope per client
Create access keys with the Access Keys API. Authorize the request with your AI Gateway API key.
curl -X POST https://api.ngrok.ai/access-keys \
-H "Authorization: Bearer $AI_GATEWAY_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "name": "Production web app" }'
Delete access keys with the Access Keys API. Authorize the request with your AI Gateway API key.
curl -X DELETE https://api.ngrok.ai/access-keys/aigk_xxxxx \
-H "Authorization: Bearer $AI_GATEWAY_API_KEY"
See the Access Keys API reference.
Deletion is permanent. Clients using the revoked key receive authentication errors immediately.
Protecting provider keys
Store provider keys in app.ngrok.ai and reference them in configurations. Clients only ever hold the access key.
See Provider Keys.
Next steps