Authentication
API key management and security.
API keys
Use Bearer token authentication. Include your API key in the Authorization header of every request:
HTTP Header
$ Authorization: Bearer YOUR_API_KEYCreating API keys
- Navigate to Settings → API Keys
- Click Create new key
- Give it a descriptive name (e.g. "Production", "Development")
- Copy the key immediately — it won't be shown again
API keys are shown only once at creation. Store them securely using environment variables or a secrets manager.
Default models per key
Each API key can have default model routing configured:
- Smart Routing — let AllToken choose the best provider path automatically
- Default Model — if a request doesn't specify a model, default to this one
- Forced Model — always override incoming requests to use a specific model
Configure these in Settings → API Keys by editing a key.
Security best practices
- Never expose API keys in client-side code, Git repositories, or browser DevTools
- Use environment variables:
ALLTOKEN_API_KEY - Rotate keys regularly — delete old keys and create new ones
- Use separate keys for production and development
- Monitor usage in Settings → Usage for unexpected activity
OAuth sign-in
For the AllToken dashboard (not API access), users can sign in via:
- Email + password
- Google OAuth
- GitHub OAuth
OAuth is for dashboard access only. API requests always use Bearer token authentication.