API Key Management - Complete Guide

Overview

API Keys are the foundation of your integration with AI Guard Developer Portal. Each key provides secure access to the Dev Guard API with customizable guardrails, privacy protection, and compliance features.

Understanding API Keys

What is an API Key?

An API key is a unique credential that:

• Authenticates your application
• Routes requests to specific LLM connections
• Applies guardrails and security policies
• Tracks usage and costs
• Enforces rate limits

Format: devkey_[64-character-hash]

Example: devkey_33536cc9976ea64b39939ee5a05d5f0f172fa1e91fb82daf

Key Features

Each API key can configure:

• ✓ LLM connection (which AI model to use)
• ✓ Privacy Guard (PII detection/redaction)
• ✓ Input guardrails (validate prompts)
• ✓ Output guardrails (filter responses)
• ✓ Persona guardrails (AI personality/behavior)
• ✓ Agent guardrails (control agent actions)
• ✓ Citadel protection (prompt injection defense)
• ✓ Compliance checking (industry standards)
• ✓ Rate limiting (requests per minute)
• ✓ Token limits (max tokens per request)

Creating API Keys

Step-by-Step Creation

1. Navigate to API Keys

   • Click "API Keys" in left sidebar
   • Or go to Settings > API Keys

2. Click "Create New API Key"

3. Configure Basic Settings

Key Name: Production Chatbot API
Description: Customer support chatbot for website
LLM Connection: [Select your configured LLM]
Status: Active

4. Enable Security Features

Privacy Guard:

• ✓ Enable Privacy Guard
• Automatically detects and redacts:
  • Email addresses
  • Phone numbers
  • SSN, credit cards
  • Addresses
  • Custom PII patterns

Citadel (Prompt Injection Protection):

• ✓ Enable Citadel
• Blocks:
  • Jailbreak attempts
  • Prompt leaking
  • Instruction override
  • System prompt extraction

5. Configure Guardrails

Input Guardrails:

• Select from dropdown or leave blank
• Validates user prompts before LLM
• Examples:
  • Block profanity
  • Prevent off-topic questions
  • Validate format/structure
  • Industry-specific rules

Output Guardrails:

• Select from dropdown or leave blank
• Filters LLM responses
• Examples:
  • Remove inappropriate content
  • Ensure factual accuracy
  • Maintain brand voice
  • Compliance checking

Persona Guardrails:

• Enforces AI personality
• Examples:
  • Professional tone
  • Helpful assistant
  • Specific domain expert
  • Brand character

Agent Guardrails:

• Controls autonomous actions
• Examples:
  • Allowed tools/functions
  • Action approval requirements
  • Safety constraints

6. Set Rate Limits

Max Requests per Minute: 100
Max Tokens per Request: 4000
Max Tokens per Month: 1000000 (optional)

7. Compliance Settings (Optional)

Enable Compliance Check: ✓
Compliance Framework: HIPAA / GDPR / SOC2 / PCI-DSS
Compliance Service URL: [Your compliance endpoint]
Compliance API Key: [If required]

8. Generate Key
   • Click "Generate API Key"
   • Key is displayed once
   • COPY IMMEDIATELY
   • Click "Copy to Clipboard"
   • Store securely

⚠️ Critical: You cannot retrieve the key again. If lost, you must create a new one.

Managing Existing Keys

Viewing API Keys

API Keys Dashboard Shows:

• Key name and description
• Last 8 characters of key (for identification)
• Associated LLM connection
• Status (Active/Inactive)
• Usage statistics
• Creation date
• Last used

Editing API Keys

1. Click "Edit" button next to key
2. Modify any settings except:
   • ✗ The actual API key (immutable)
   • ✗ Creation date
   • ✗ User ID

Can Modify:

• ✓ Key name/description
• ✓ LLM connection
• ✓ All guardrail settings
• ✓ Rate limits
• ✓ Status (active/inactive)

3. Click "Save Changes"

Viewing Key Details

Click key name to see:

Configuration:

• All settings and guardrails
• Rate limit configuration
• Compliance settings

Usage Statistics:

• Total requests
• Tokens used
• Estimated costs
• Success rate
• Average response time

Recent Activity:

• Last 50 requests
• Guardrail violations
• Error logs

Deactivating Keys

Temporarily Disable:

1. Edit API key
2. Set Status to "Inactive"
3. Save

Effects:

• API requests return 401 Unauthorized
• Statistics preserved
• Can reactivate anytime
• No data loss

Use Cases:

• Suspected compromise
• Temporary maintenance
• Testing alternative keys
• Gradual migration

Deleting Keys

⚠️ Permanent Action

1. Click "Delete" button
2. Confirm deletion
3. Key is permanently removed

Effects:

• API requests fail immediately
• Usage history preserved (audit)
• Cannot be recovered
• Applications using key will break

Before Deleting:

• Update all applications
• Export usage data if needed
• Document reason for deletion

Advanced Configuration

Multiple Keys Strategy

Best Practice: Separate Keys Per:

Environment:

dev-chatbot-key      → Development
staging-chatbot-key  → Staging  
prod-chatbot-key     → Production

Application:

customer-support-key → Support chatbot
doc-qa-key          → Documentation Q&A
code-assistant-key  → Code helper

Security Level:

public-api-key      → Public facing (strict guardrails)
internal-tool-key   → Internal use (relaxed)
admin-key          → Administrative (minimal restrictions)

Guardrail Assignment

Finding Guardrails:

1. Settings > Guardrails > Library
2. Browse by type:
   • Input Validation
   • Output Filtering
   • Persona Templates
   • Agent Controls
3. Preview guardrail rules
4. Select for your API key

Creating Custom Guardrails:

1. Settings > Guardrails > Create
2. Define rules in YAML
3. Test in playground
4. Assign to API keys

Example: Customer Support

Input Guardrail: Block profanity, require questions
Output Guardrail: Professional tone, no medical advice
Persona: Helpful, empathetic support agent
Agent: No external API calls, read-only database

Rate Limiting Best Practices

Set Appropriate Limits:

Public API (high traffic):

Requests/min: 1000
Tokens/request: 2000
Tokens/month: 10000000

Internal Tool (moderate):

Requests/min: 100
Tokens/request: 4000
Tokens/month: 1000000

Admin/Testing (low):

Requests/min: 10
Tokens/request: 8000
Tokens/month: 100000

Why Rate Limits Matter:

• Prevent abuse/attacks
• Control costs
• Ensure fair usage
• Protect backend resources

Security Best Practices

Storing API Keys Securely

✓ DO:

• Use environment variables

export DEV_GUARD_API_KEY="devkey_xxx"

• Use secrets management

# AWS Secrets Manager
import boto3
client = boto3.client('secretsmanager')
api_key = client.get_secret_value(SecretId='dev-guard-key')['SecretString']

• Use configuration files (not in git)

# config.py (in .gitignore)
API_KEY = "devkey_xxx"

• Use platform secret stores

Heroku: heroku config:set DEV_GUARD_KEY=devkey_xxx
Vercel: Environment Variables in dashboard
AWS Lambda: Environment variables (encrypted)

✗ DON'T:

• ✗ Commit to Git/GitHub
• ✗ Hardcode in source files
• ✗ Share via email/chat
• ✗ Expose in client-side code
• ✗ Log in plain text
• ✗ Include in error messages

Key Rotation

When to Rotate:

• Every 90 days (recommended)
• After team member departure
• If key exposed/committed
• After security incident
• Compliance requirements

How to Rotate:

1. Create new API key
2. Update applications with new key
3. Test thoroughly
4. Monitor for errors
5. Deactivate old key
6. After 24-48 hours, delete old key

Monitoring for Compromise

Warning Signs:

• Unexpected usage spikes
• Requests from unknown IPs
• Unusual error rates
• Off-hours activity
• Geographic anomalies

If Compromised:

1. Immediately deactivate key
2. Create new key
3. Update applications
4. Review audit logs
5. Investigate source
6. Document incident
7. Delete compromised key

Usage Tracking

API Logs

View Request Logs:

1. API Keys > Select key > View Logs
2. Or: Logs > Filter by API key

Log Information:

• Timestamp
• Request details
• Response status
• Guardrail results
• Token usage
• Cost
• Latency
• IP address

Cost Monitoring

Track Costs:

1. API Keys > Cost Breakdown
2. View by:
   • Per key
   • Per day/week/month
   • By LLM model
   • By token type

Cost Alerts:

• Set monthly budget limits
• Email notifications
• Auto-disable at threshold

Analytics Dashboard

Metrics Available:

• Request volume (timeline)
• Success/error rates
• Average latency
• Token consumption
• Cost trends
• Guardrail violation rate
• Top endpoints
• Peak usage times

Compliance Integration

Enabling Compliance Checks

Supported Frameworks:

• HIPAA: Healthcare data
• GDPR: EU privacy
• SOC 2: Security controls
• PCI-DSS: Payment data
• Custom: Your own rules

Configuration:

{
  "enable_compliance_check": true,
  "compliance_framework": "HIPAA",
  "compliance_service_url": "https://your-compliance-api.com/check",
  "compliance_api_key": "your_compliance_key"
}

How It Works:

1. Request received with API key
2. Input checked against compliance rules
3. If violation detected, request blocked
4. Response logged for audit
5. Notification sent (if configured)

Compliance Reporting

Generate Reports:

1. API Keys > Compliance Reports
2. Select date range
3. Export as PDF/CSV

Report Contents:

• Total requests
• Compliance checks performed
• Violations detected
• Remediation actions
• Audit trail

Troubleshooting

API Key Not Working

Error: "Invalid API Key"

• Verify key starts with devkey_
• Check for extra spaces/line breaks
• Ensure key is active
• Verify not deleted

Error: "Rate Limit Exceeded"

• Check current usage
• Increase rate limit if needed
• Implement request queuing
• Use multiple keys for load balancing

Error: "Unauthorized"

• API key inactive or deleted
• Wrong header name (must be X-API-Key)
• Key associated with wrong user

Guardrail Issues

All Requests Blocked:

• Review guardrail configuration
• Check sensitivity scores
• Test in playground
• Temporarily disable to isolate

Inconsistent Blocking:

• Guardrail rules may be ambiguous
• Review violation logs
• Adjust thresholds
• Add more specific rules

Performance Issues

Slow Response Times:

• Check LLM endpoint latency
• Reduce max_tokens
• Optimize guardrail complexity
• Use faster LLM models
• Cache common responses

API Key Examples

Example 1: Public Chatbot

Name: Website Chatbot
LLM: GPT-4 Turbo
Privacy Guard: ✓ Enabled
Citadel: ✓ Enabled
Input Guardrail: Block profanity + off-topic
Output Guardrail: Professional tone filter
Persona: Friendly support agent
Rate Limit: 1000/min
Max Tokens: 2000

Example 2: Internal Tool

Name: Employee Assistant
LLM: GPT-4
Privacy Guard: ✓ Enabled
Citadel: ✗ Disabled (trusted users)
Input Guardrail: None
Output Guardrail: Internal policy compliance
Persona: Professional colleague
Rate Limit: 100/min
Max Tokens: 4000

Example 3: Document Q&A

Name: Knowledge Base QA
LLM: GPT-3.5 Turbo
Privacy Guard: ✗ Disabled (no PII in docs)
Citadel: ✓ Enabled
Input Guardrail: Question format validation
Output Guardrail: Factual accuracy check
Persona: Knowledgeable expert
Rate Limit: 500/min
Max Tokens: 1000

Best Practices Summary

Security

• ✓ Never commit keys to version control
• ✓ Use environment variables
• ✓ Rotate keys every 90 days
• ✓ Separate keys per environment
• ✓ Monitor usage for anomalies
• ✓ Delete unused keys

Performance

• ✓ Set appropriate rate limits
• ✓ Use token limits
• ✓ Monitor response times
• ✓ Cache when possible
• ✓ Choose right LLM for task

Cost Control

• ✓ Set monthly token budgets
• ✓ Monitor costs daily
• ✓ Use cheaper models when suitable
• ✓ Implement usage alerts
• ✓ Review logs for waste

Compliance

• ✓ Enable Privacy Guard in production
• ✓ Configure industry-specific compliance
• ✓ Regular audit log reviews
• ✓ Document all configurations
• ✓ Export compliance reports monthly

Next Steps

• Learn about Custom Guardrails
• Explore Privacy Guard Configuration
• Set up Compliance Checking
• Review Monitoring & Analytics
• Read Integration Best Practices