Powered by

# API Key Management and Distribution Policy

# Purpose

This policy recommends the security and governance requirements for managing, storing, distributing, and using API keys within the AI platform and proxy infrastructure.

The objective is to prevent unauthorized access to AI models, protect provider credentials, enforce usage governance, and reduce the risk of credential leakage or abuse.

# Prohibition of API Key Distribution

API keys are confidential security credentials and must not be distributed or exposed outside authorized systems and personnel.

The following activities are strictly prohibited:

  • Sharing API keys or master keys through email, chat platforms, ticketing systems, or collaboration tools
  • Embedding API keys or provider API keys in source code repositories, notebooks, scripts, or configuration files committed to version control
  • Exposing API keys in frontend applications, browsers, mobile applications, or client-side code
  • Distributing provider credentials directly to end users or application teams
  • Publishing keys in documentation, screenshots, logs, dashboards, or presentations
  • Reusing shared administrative keys across multiple teams or applications
  • Using unrestricted master keys for application integrations

# Approved Usage Model

All application access to AI providers must occur through the AI Proxy layer using managed virtual API keys.

Provider credentials must remain internal to the AI Gateway infrastructure and must never be directly exposed to applications or users.

Approved architecture:

Client Application
       |
       v
AI Gateway Proxy
       |
       +--> Phoeniqs

Applications must only use:

  • Virtual API keys
  • Approved API endpoints

# API Key Security Requirements

# 1. Virtual Key Usage

All consumers must use generated virtual API keys.

Virtual keys must:

  • Be scoped to approved models only
  • Have assigned budgets and rate limits
  • Be associated with identifiable users, services, or teams
  • Follow least-privilege principles

# 4. Key Distribution Restrictions

API keys must not be:

  • Shared between teams
  • Used across multiple environments without segregation
  • Embedded in containers, images, or deployment manifests
  • Stored in plaintext files

Separate keys must be maintained for:

  • Development
  • Testing
  • Staging
  • Production

# Incident Response

Any suspected exposure or unauthorized distribution of API keys must be reported immediately.

Compromised keys must be:

  1. Revoked immediately
  2. Rotated and replaced
  3. Investigated for misuse or unauthorized access
  4. Logged as a security incident

# Compliance Requirements

Failure to comply with this policy may result in:

  • Revocation of API access
  • Suspension of API usage
  • Security escalation procedures
  • Organizational disciplinary action

# See also

Subscription Plans & Features
../../subscriptions/
How to inference an AI model
../how-to-inference-a-model/

© Copyright 2026. All rights reserved.