> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure your gateway

> How access keys provide built-in authorization for the AI Gateway.

[Access keys](/ai-gateway/concepts/access-keys) authenticate every request to `https://gateway.ngrok.ai`. The AI Gateway validates each key before forwarding traffic. Upstream provider credentials are managed separately—see [Access keys vs provider keys](/ai-gateway/concepts/access-keys#access-keys-vs-provider-keys).

## How it works

1. [Create an access key](/ai-gateway/concepts/access-keys) in [app.ngrok.ai](https://app.ngrok.ai) or via the AI Gateway API
2. Send the key as `Authorization: Bearer ng-xxxxx-g1-xxxxx` (OpenAI-compatible APIs) or `x-api-key` (Anthropic native API)
3. The gateway validates the key on every request
4. Invalid or missing keys are rejected—requests do not reach providers

```python theme={null}
from openai import OpenAI

client = OpenAI(
    base_url="https://gateway.ngrok.ai/v1",
    api_key="ng-xxxxx-g1-xxxxx"  # Your access key
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Hello!"}]
)
```

The AI Gateway replaces your access key with provider credentials from your configuration before forwarding to the upstream provider.

## Per-client keys

Create separate access keys for each client or application:

* Revoke one client without affecting others
* Track usage per key
* Assign different [configurations](/ai-gateway/guides/access-key-configurations) to limit scope per client

Create access keys with the [Access Keys API](/ai-gateway/api-reference/access-keys/create). Authorize the request with your [AI Gateway API key](/ai-gateway/concepts/access-keys#credentials-overview).

```bash theme={null}
curl -X POST https://api.ngrok.ai/access-keys \
  -H "Authorization: Bearer $AI_GATEWAY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Production web app" }'
```

Delete access keys with the [Access Keys API](/ai-gateway/api-reference/access-keys/delete). Authorize the request with your [AI Gateway API key](/ai-gateway/concepts/access-keys#credentials-overview).

```bash theme={null}
curl -X DELETE https://api.ngrok.ai/access-keys/aigk_xxxxx \
  -H "Authorization: Bearer $AI_GATEWAY_API_KEY"
```

See the [Access Keys API reference](/ai-gateway/api-reference/access-keys/delete).

<Warning>
  Deletion is permanent. Clients using the revoked key receive authentication errors immediately.
</Warning>

## Protecting provider keys

Store provider keys in app.ngrok.ai and reference them in configurations. Clients only ever hold the access key.

See [Provider Keys](/ai-gateway/guides/attaching-provider-keys).

## Next steps

* [Access Keys](/ai-gateway/concepts/access-keys): Create and manage keys
* [Access Key Configurations](/ai-gateway/guides/access-key-configurations): Scope and credentials per key
* [Error Codes](/ai-gateway/reference/error-codes): Authentication errors
