Best Practices

Security

Protect your API keys, data, and users. Production-grade patterns for key management, rotation, access control, and monitoring.

API Key Management

  • Never hardcode keys — Use environment variables or a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault)
  • Never commit keys to git — Add .env to .gitignore. Use git-secrets or truffleHog to scan your repo history
  • Use separate keys per environment — Dev / staging / production keys are independent. If a dev key leaks, production is unaffected
  • Scope every key — Restrict model access, set spending caps, and IP-whitelist every key at creation time

Key Rotation

Rotate API keys every 90 days. Here's a safe rotation procedure with validation:

python
import os
import requests

# Step 1: Create new key via Dashboard or API
NEW_KEY = "sk-new-key-from-dashboard"

# Step 2: Update environment (do this atomically with your deploy)
# In production, use a secrets manager: AWS Secrets Manager, GCP Secret Manager, or Vault
os.environ["ONEROUTER_API_KEY"] = NEW_KEY

# Step 3: Verify new key works
response = requests.post(
    "https://api.onerouter.app/v1/chat/completions",
    headers={"Authorization": f"Bearer {NEW_KEY}"},
    json={"model": "gpt-4o", "messages": [{"role": "user", "content": "ping"}]},
    timeout=10,
)
assert response.status_code == 200, f"New key validation failed: {response.status_code}"

# Step 4: Revoke old key in Dashboard → API Keys
# Only do this AFTER confirming new key works in production
print("New key validated. Revoke old key in Dashboard now.")

Backend Proxy (Required for Browser/Mobile)

Never call OneRouter directly from client-side code. API keys exposed in browsers or mobile apps can be extracted by anyone. Always route through your backend:

Browser App → Your Backend API → OneRouter API
                      ↑
              API key lives here
          (never reaches the client)

Your backend validates the user's session, then forwards the AI request with the server-side API key. The client never sees the key.

IP Whitelisting

Restrict each API key to specific IP addresses or CIDR ranges. Even if a key leaks, it's useless from unauthorized networks. Configure in Dashboard → API Keys → Edit → IP Whitelist. For production keys, whitelist only your backend servers' outbound IPs.

Enable MFA

Protect your OneRouter Dashboard account with multi-factor authentication. Available via TOTP authenticator apps (Google Authenticator, Authy, 1Password). Enable in Dashboard → Settings → Security → MFA.

Audit & Monitoring

Log key usage for anomaly detection:

python
# Monitor API key usage via response headers
import logging

def audit_request(response, key_name):
    usage = response.json().get("usage", {})
    logging.info(f"[{key_name}] model={response.json()['model']} "
                 f"tokens={usage.get('total_tokens', 0)} "
                 f"remaining_rpm={response.headers.get('x-ratelimit-remaining-requests', '?')}")

In the Dashboard, regularly review Activity Logs per key. Look for: unexpected model usage, token spikes, requests from unfamiliar IPs, or unusual hours.

If a Key is Compromised

  1. Revoke immediately — Dashboard → API Keys → Revoke (takes effect in <60 seconds)
  2. Generate a new key — and update your application
  3. Audit the old key's logs — Check for any unauthorized usage before deletion
  4. Investigate how it leaked — Check git history, CI logs, error messages, client-side code
  5. Tighten scopes — Add IP whitelisting and lower the spending cap on the replacement key
Lost keys cannot be recovered. OneRouter shows your API key only once at creation. We store only an encrypted hash. If you lose a key, revoke it and generate a new one.