API Key Rotation

Regular API key rotation is a security best practice that limits the impact of compromised credentials. OpenRouter’s Management API makes it easy to rotate keys programmatically without service interruption.

Why Rotate API Keys?

Rotating API keys regularly helps protect your applications by limiting the window of exposure if a key is compromised, meeting compliance requirements for credential management, enabling clean audit trails of key usage, and allowing you to revoke access for former team members or deprecated systems.

Rotation Strategy

A zero-downtime key rotation follows three steps: create a new key, update your applications to use the new key, and delete the old key once all systems have migrated.

Rotating Keys with the Management API

First, you’ll need a Management API key to manage your API keys programmatically.

Step 1: Create a New Key

1
import { OpenRouter } from '@openrouter/sdk';
2
3
const openRouter = new OpenRouter({
4
  apiKey: 'your-management-key',
5
});
6
7
const newKey = await openRouter.apiKeys.create({
8
  name: 'Production Key - Rotated 2025-01',
9
  limit: 1000,
10
});
11
12
console.log('New key created:', newKey.data.key);
13
console.log('Key hash:', newKey.data.hash);

Step 2: Update Your Applications

Deploy your new API key to your applications. The specific process depends on your infrastructure, but common approaches include updating environment variables in your deployment configuration, rotating secrets in your secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.), or updating your CI/CD pipeline variables.

Both keys remain valid during this transition period, so you can roll out changes gradually without service interruption.

Step 3: Delete the Old Key

Once all your applications are using the new key, delete the old one:

1
import { OpenRouter } from '@openrouter/sdk';
2
3
const openRouter = new OpenRouter({
4
  apiKey: 'your-management-key',
5
});
6
7
const oldKeyHash = 'hash-of-old-key';
8
await openRouter.apiKeys.delete(oldKeyHash);
9
10
console.log('Old key deleted successfully');

BYOK Advantage: Simplified Key Rotation

If you use Bring Your Own Key (BYOK) with OpenRouter, you get a significant advantage when it comes to key rotation: you can rotate your OpenRouter API keys without ever needing to rotate your provider keys.

When you configure BYOK, your provider API keys (OpenAI, Anthropic, Google, etc.) are stored securely in OpenRouter and associated with your account, not with individual OpenRouter API keys. This means:

• Rotate OpenRouter keys freely: You can rotate your OpenRouter API keys as often as you like for security compliance without touching your provider credentials.
• Provider keys stay stable: Your provider API keys remain unchanged, avoiding the complexity of rotating credentials across multiple AI providers.
• Single point of management: Manage all your provider keys in one place through OpenRouter’s integrations settings, while rotating your application-facing OpenRouter keys independently.

This separation of concerns makes BYOK particularly valuable for organizations with strict key rotation policies. You get the security benefits of regular key rotation for your application credentials while maintaining stable, long-lived connections to your AI providers.

Best Practices

When implementing key rotation, keep these recommendations in mind:

• Use descriptive key names: Include rotation dates or version numbers in key names for easy tracking.
• Monitor key usage: Check the Activity page to verify traffic has migrated to the new key before deleting the old one.
• Set appropriate limits: Apply spending limits to new keys to prevent unexpected costs.
• Document your rotation schedule: Establish and follow a regular rotation cadence (e.g., quarterly).
• Test in staging first: Validate your rotation process in a non-production environment.

Related Resources

• Management API Keys - Full API reference for key management
• BYOK - Configure your own provider keys