Best Practices
Security
Protect your API keys, data, and users. Production-grade patterns for key management, rotation, access control, and monitoring.
API Key Management
- Never hardcode keys — Use environment variables or a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault)
- Never commit keys to git — Add
.envto.gitignore. Usegit-secretsortruffleHogto scan your repo history - Use separate keys per environment — Dev / staging / production keys are independent. If a dev key leaks, production is unaffected
- Scope every key — Restrict model access, set spending caps, and IP-whitelist every key at creation time
Key Rotation
Rotate API keys every 90 days. Here's a safe rotation procedure with validation:
import os
import requests
# Step 1: Create new key via Dashboard or API
NEW_KEY = "sk-new-key-from-dashboard"
# Step 2: Update environment (do this atomically with your deploy)
# In production, use a secrets manager: AWS Secrets Manager, GCP Secret Manager, or Vault
os.environ["ONEROUTER_API_KEY"] = NEW_KEY
# Step 3: Verify new key works
response = requests.post(
"https://api.onerouter.app/v1/chat/completions",
headers={"Authorization": f"Bearer {NEW_KEY}"},
json={"model": "gpt-4o", "messages": [{"role": "user", "content": "ping"}]},
timeout=10,
)
assert response.status_code == 200, f"New key validation failed: {response.status_code}"
# Step 4: Revoke old key in Dashboard → API Keys
# Only do this AFTER confirming new key works in production
print("New key validated. Revoke old key in Dashboard now.")Backend Proxy (Required for Browser/Mobile)
Never call OneRouter directly from client-side code. API keys exposed in browsers or mobile apps can be extracted by anyone. Always route through your backend:
Browser App → Your Backend API → OneRouter API
↑
API key lives here
(never reaches the client)Your backend validates the user's session, then forwards the AI request with the server-side API key. The client never sees the key.
IP Whitelisting
Restrict each API key to specific IP addresses or CIDR ranges. Even if a key leaks, it's useless from unauthorized networks. Configure in Dashboard → API Keys → Edit → IP Whitelist. For production keys, whitelist only your backend servers' outbound IPs.
Enable MFA
Protect your OneRouter Dashboard account with multi-factor authentication. Available via TOTP authenticator apps (Google Authenticator, Authy, 1Password). Enable in Dashboard → Settings → Security → MFA.
Audit & Monitoring
Log key usage for anomaly detection:
# Monitor API key usage via response headers
import logging
def audit_request(response, key_name):
usage = response.json().get("usage", {})
logging.info(f"[{key_name}] model={response.json()['model']} "
f"tokens={usage.get('total_tokens', 0)} "
f"remaining_rpm={response.headers.get('x-ratelimit-remaining-requests', '?')}")In the Dashboard, regularly review Activity Logs per key. Look for: unexpected model usage, token spikes, requests from unfamiliar IPs, or unusual hours.
If a Key is Compromised
- Revoke immediately — Dashboard → API Keys → Revoke (takes effect in <60 seconds)
- Generate a new key — and update your application
- Audit the old key's logs — Check for any unauthorized usage before deletion
- Investigate how it leaked — Check git history, CI logs, error messages, client-side code
- Tighten scopes — Add IP whitelisting and lower the spending cap on the replacement key