API key management

Overview

API keys authenticate your application's requests to ModelRiver. Each key is generated once, shown in full, and then stored as a SHA-256 hash. This means ModelRiver cannot retrieve your key after creation: store it securely.

Creating API keys

1. Navigate to Settings → API Keys in your project
2. Click Create API Key
3. Choose an expiration period (see below)
4. Copy the key immediately: it will not be shown again
5. Store the key in your secret manager or environment variables

Key expiration

Every API key has a configurable expiration. Choose the duration that matches your use case when creating a key:

Expired keys are automatically invalidated. Requests made with an expired key return 401 Unauthorized. You can always create a new key and revoke the old one before it expires for a zero-downtime rotation.

Key prefix

All API keys use the mr_live_ prefix. This makes them easy to identify in environment variables and secret managers.

Revoking keys

Revoke compromised keys from the console: invalidation is immediate. Any in-flight requests using the revoked key will fail with a 401 Unauthorized response.

1. Navigate to Settings → API Keys
2. Find the key to revoke
3. Click Revoke and confirm

Best practices

• One key per integration: Create separate keys for each environment, service, or team member to enable granular revocation.
• Use environment variables: Never hardcode API keys in source code. Use MODELRIVER_API_KEY in your environment.
• Rotate regularly: Create a new key, update your application, then revoke the old key. Zero-downtime rotation.
• Monitor usage: Check Request Logs to verify which key is being used and detect anomalies.
• Choose short expirations for dev: Use 1-day or 7-day keys for development environments so they auto-expire if forgotten.

Next steps

• Provider credentials: Secure your AI provider tokens
• Data retention: Understand data storage policies
• API authentication: Technical integration details