API Keys

API keys enable external systems and tools to access your organization’s prompts and deployments. Use them for CI/CD pipelines, monitoring dashboards, or custom integrations.

Who Can Manage API Keys?

Only Owners and Admins can create, view, and delete API keys. Editors and Viewers cannot access API key management.

What Are API Keys For?

API keys provide programmatic access to your organization. Common use cases include:

Permission Presets

When creating an API key, you can choose from predefined permission sets:

Custom Permissions

For fine-grained control, you can customize which permissions your API key has:

Choosing Permissions

Follow the principle of least privilege:

• Only grant permissions the integration actually needs
• Use read-only permissions when writing isn’t required
• Avoid full access unless absolutely necessary

Creating an API Key

Step 1: Navigate to API Keys

Go to Settings → API Keys tab in your organization.

Step 2: Click “Create API Key”

Click the Create API Key button.

Step 3: Configure the Key

Fill in the configuration form:

Step 4: Create and Copy the Key

1. Click Create
2. Your API key is displayed once only
3. Copy the key immediately and store it securely
4. The key cannot be displayed again after closing the dialog

Warning: If you lose the key, you’ll need to create a new one. The key value is never stored in a retrievable format.

Using API Keys

Authentication

Include your API key in the Authorization header:

curl -X GET "https://promptstudio-api.llmx.de/v1/prompts" \
  -H "Authorization: Bearer pk_abc123..."

API Endpoints

With a valid API key, you can access:

GET  /v1/prompts              # List prompts
GET  /v1/prompts/{id}         # Get prompt details
POST /v1/prompts              # Create prompt (requires write:prompts)
PUT  /v1/prompts/{id}         # Update prompt (requires write:prompts)
DELETE /v1/prompts/{id}       # Delete prompt (requires delete:prompts)

GET  /v1/deployments          # List deployments
GET  /v1/deployments/{id}     # Get deployment details

POST /v1/tests/run            # Execute tests (requires execute:tests)

Managing Existing Keys

Viewing Keys

Go to Settings → API Keys to see all keys for your organization.

Each key shows:

• Name
• Key prefix (first 8 characters)
• Permissions
• Created date
• Last used date
• Expiration status

Deleting Keys

1. Find the key in the list
2. Click the Delete button (trash icon)
3. Confirm the deletion

Deleted keys:

• Stop working immediately
• Cannot be recovered
• Should be removed from any systems using them

Key Expiration

Optional Expiration

You can set an expiration date when creating a key:

• Keys expire at midnight UTC on the specified date
• Expired keys return 401 Unauthorized errors
• Set expiration for temporary integrations or contractor access

Keys Without Expiration

Keys without an expiration date:

• Remain valid indefinitely
• Should be rotated periodically as a security practice
• Can be deleted manually when no longer needed

Security Best Practices

Secure Storage

Never expose API keys in:

• Source code or version control
• Client-side JavaScript
• Public documentation
• Chat messages or emails

Instead, store keys in:

• Environment variables
• Secrets managers (AWS Secrets Manager, HashiCorp Vault)
• CI/CD secrets (GitHub Secrets, GitLab CI variables)

Minimal Permissions

Grant only the permissions needed:

• Monitoring dashboard? Use read:prompts only
• CI pipeline? Use CI/CD preset
• Never use Full Access unless necessary

Regular Rotation

Rotate API keys periodically:

1. Create a new key with the same permissions
2. Update your integrations to use the new key
3. Verify the new key works
4. Delete the old key

Monitor Usage

Check the “Last Used” timestamp regularly:

• Unused keys may indicate abandoned integrations
• Consider deleting keys that haven’t been used in months

Set Expiration for Temporary Access

When granting access to:

• Contractors
• Trial integrations
• Time-limited projects

Always set an expiration date.

For Developers

Key Format

API keys follow a predictable format for easy identification:

pk_{32_random_characters}

Example: pk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

The pk_ prefix helps identify LLMx Prompt Studio keys in configuration files.

Authentication Header

Authorization: Bearer pk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Key Storage

Keys are stored as SHA-256 hashes:

import hashlib
 
def hash_api_key(key: str) -> str:
    return hashlib.sha256(key.encode()).hexdigest()
 
# The full key is never stored - only the hash
stored_hash = hash_api_key("pk_a1b2c3...")
 
# Verification
def verify_key(provided_key: str, stored_hash: str) -> bool:
    return hash_api_key(provided_key) == stored_hash

Permission Checking

def check_permission(api_key: ApiKey, required_permission: str) -> bool:
    return required_permission in api_key.permissions
 
# Usage in endpoint
@app.get("/v1/prompts")
async def list_prompts(api_key: ApiKey = Depends(verify_api_key)):
    if not check_permission(api_key, "read:prompts"):
        raise HTTPException(403, "Missing permission: read:prompts")
    # ... continue with request

Expiration Checking

from datetime import datetime
 
def is_key_valid(api_key: ApiKey) -> bool:
    if api_key.expires_at is None:
        return True  # No expiration set
    return datetime.utcnow() < api_key.expires_at

Rate Limiting

API keys are subject to rate limits:

Rate limit headers are included in responses:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200