> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fortapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys & security

> Creating, using and revoking API keys

You need an **API key** (also called a token) to call any model through FortAPI. Keys start with `sk-...`.

## Creating a key

<Steps>
  <Step title="Open the Tokens section">
    Dashboard → **Tokens**.
  </Step>

  <Step title="Create a new token">
    Click **Create token**. Fill in:

    * **Name**: for your reference, e.g. `local-dev`, `production-bot`.
    * **Expiry**: leave "Never" or set a specific date.
    * **Spend limit (optional)**: cap on how much this key can draw from your overall balance.
    * **Model access (optional)**: restrict the key to specific models.
  </Step>

  <Step title="Copy the key">
    Save the key after creation. You can also view it again later from the **Tokens** page in the dashboard.
  </Step>
</Steps>

## Using the key

Pass the key in the `Authorization: Bearer sk-...` header on every request:

```bash theme={null}
curl https://www.fortapi.com/v1/chat/completions \
  -H "Authorization: Bearer sk-YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{...}'
```

SDKs accept it as `api_key` or `apiKey` — see [API Reference](/en/api-reference).

## Security best practices

<CardGroup cols={2}>
  <Card title="❌ Don't commit to Git" icon="ban">
    Never put `sk-...` in commits. Repos — especially public — get scraped by bots in minutes.
  </Card>

  <Card title="✅ Use environment variables" icon="circle-check">
    Store the key in `.env` or system env. Read it with `os.getenv("OPENAI_API_KEY")`.
  </Card>

  <Card title="❌ Don't expose to frontend" icon="ban">
    The API key belongs only on the backend. If the browser calls FortAPI directly, anyone opening DevTools sees the key.
  </Card>

  <Card title="✅ One key per project" icon="circle-check">
    Don't share a single key across projects. If one leaks, the others stay safe — only revoke the bad one.
  </Card>
</CardGroup>

## Revoking and rotating

If a key leaks (committed to Git, posted in chat, in a screenshot):

<Steps>
  <Step title="Revoke immediately">
    In **Tokens**, find the bad key → **Disable** or **Delete**. All subsequent requests with it return `401 Unauthorized`.
  </Step>

  <Step title="Create a replacement">
    Generate a new key with the same limits and update your application's environment.
  </Step>

  <Step title="Audit logs">
    In **Logs**, scan for suspicious requests from the leaked key before revocation.
  </Step>
</Steps>

## Spend limits

When creating a key you can set "max X USD from overall balance". Useful for:

* **Prod/staging split**: production key with no limit, staging with \$10 limit.
* **Delegation**: give a contractor a key with a \$50 cap for one feature.
* **Bug protection**: a runaway script can't drain everything — it hits the cap.

When the limit is reached, the key stops working automatically (even if your overall balance has more).

## Multiple keys

You can have any number of active keys at once. A typical layout:

| Key            | Purpose                | Expiry  | Limit |
| -------------- | ---------------------- | ------- | ----- |
| `prod-app`     | Production             | never   | none  |
| `staging`      | Staging                | never   | \$10  |
| `local-dev`    | Local development      | 30 days | \$5   |
| `experiment-X` | Experimental project X | 7 days  | \$1   |

This gives isolation — if one key has issues, revoke and recreate it without touching the others.

## Account compromise

If your FortAPI account is compromised (someone got your password):

1. Change your password immediately (if you still have access).
2. If you've lost access — email [support@fortapi.com](mailto:support@fortapi.com) from the email on file with your description of the situation.
3. After regaining access: revoke all API keys and create new ones.
