Virtual keys & budgets

A virtual key is the unit of access and control in aigw. You issue as many as you like — one per team, project, environment, or autonomous agent — and each carries its own budget and model allow-list. Clients authenticate with the virtual key; they never see a provider key.

Create a key

Console → Keys → New key. Each key has:

• Name / subject — who or what this key represents (a team, a CI job, an agent). It shows up on every audited request.
• Monthly budget — a hard spend cap in cents for the calendar month. When spend reaches the cap, further requests return 402 until the next period or a raised cap.
• Allowed models — an optional allow-list. Omit it to allow every model in the catalog; set it to pin a key to, say, only cheaper models.

The secret (aigw-sk-…) is shown once. Rotate or revoke at any time — revocation takes effect at the edge within seconds.

How budgets are enforced

Spend is metered per request from real provider cost and rolled up per key for the current month. The cap is checked at the gateway, before the request is forwarded, so an over-budget key never reaches a provider. Budgets are advisory-free: there’s no overage billing unless you configure it.

key: team-research   budget: €3,000 / mo   spent: €1,840   → allowed
key: agent-x         budget:   €200 / mo   spent:   €200   → 402 over budget

Attribution

Every request is tagged with its key’s subject, so the audit log and the usage analytics break spend down by team / project / agent. You can also pass caller-set tags (use-case, project) on a request for finer reporting.

See also: providers & models · budgets, DLP & audit.