Authentication
Learn how to authenticate your API requests and manage API keys securely.
Overview
LLM Hub uses API keys to authenticate requests. All API requests must include a valid API key in the Authorization header.
Request Header
Authorization: Bearer YOUR_API_KEYReplace YOUR_API_KEY with your actual API key from the dashboard.
Getting API Keys
Create a New Key
- Log in to your LLM Hub dashboard
- Navigate to Settings → API Keys
- Click Create New Key
- Enter a descriptive name (e.g., "Production", "Development")
- Copy and securely store the key immediately
Important
API keys are shown only once at creation. If you lose a key, you'll need to create a new one. We recommend storing keys in a secure password manager or secrets vault.
API Key Format
LLM Hub API keys follow this format:
| Prefix | Type | Example |
|---|---|---|
llmhub_sk_ | Standard API Key | llmhub_sk_abc123... |
llmhub_pk_ | Public Key (limited access) | llmhub_pk_xyz789... |
Security Best Practices
Use Environment Variables
Never hardcode API keys in your source code. Use environment variables or a secrets manager.
# .env file
LLMHUB_API_KEY=llmhub_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Never commit this file to git!
# Add .env to your .gitignoreServer-Side Only
Keep API keys on your backend. Never expose them in frontend code, mobile apps, or browser JavaScript.
// Next.js API Route (app/api/chat/route.ts)
import OpenAI from 'openai';
import { NextRequest, NextResponse } from 'next/server';
const client = new OpenAI({
baseURL: 'https://api.llmhub.one/v1',
apiKey: process.env.LLMHUB_API_KEY! // Server-side only
});
export async function POST(request: NextRequest) {
const { messages } = await request.json();
const response = await client.chat.completions.create({
model: 'gpt-4o',
messages
});
return NextResponse.json(response);
}Rotate Keys Regularly
Create new keys periodically and revoke old ones. This limits the damage if a key is compromised. You can have multiple active keys for seamless rotation.
Use Separate Keys Per Environment
Create different API keys for development, staging, and production. This makes it easier to revoke keys and track usage.
Authentication Errors
When authentication fails, you'll receive an error response:
| HTTP Status | Error Code | Description |
|---|---|---|
| 401 | invalid_api_key | The API key is invalid or malformed |
| 401 | missing_api_key | No API key was provided in the request |
| 403 | key_revoked | The API key has been revoked |
Example Error Response
{
"error": {
"message": "Invalid API key provided",
"type": "invalid_request_error",
"code": "invalid_api_key"
}
}Managing API Keys
Viewing Keys
View all your API keys in the dashboard. You can see when each key was created and last used, but not the full key value.
Revoking Keys
Revoke a key immediately if you suspect it's been compromised. Revoked keys cannot be restored — you'll need to create a new one.
Key Limits
Each account can have up to 10 active API keys. This allows you to use different keys for different applications or environments.