Skip to content

Managing Your API Keys Securely

What You'll Learn

How to safely add, manage, and rotate API keys for your AI providers while keeping your applications secure.

What Are API Keys?

Simple Explanation

API keys are like special passwords that let your applications talk to AI services like OpenAI, Claude, or OpenRouter. They prove you're authorized to use these services and help track your usage.

Two Types of Keys in RunForge

  1. Provider Keys: Connect to AI services (OpenAI, OpenRouter, etc.)
  2. Ingest Keys: Let your applications send data to RunForge

Why Security Matters

  • API keys cost money - Stolen keys can rack up charges
  • Rate limits apply - Misuse can get your keys blocked
  • Data privacy - Keys access your AI service accounts
  • Compliance - Many organizations require secure key management

Adding Provider API Keys

Before You Start

Make sure you have accounts with your chosen AI providers: - OpenAI: platform.openai.com - OpenRouter: openrouter.ai - Anthropic: console.anthropic.com

Step-by-Step Setup

1. Navigate to API Keys

  1. Go to Settings in the top navigation
  2. Select the project you want to configure
  3. Click API Keys in the sidebar

2. Add a New Provider Key

  1. Click Add API Key or Add Provider Key
  2. Select your provider from the dropdown:
  3. OpenAI
  4. OpenRouter
  5. Anthropic
  6. Custom/Other

3. Configure the Key

  1. Key Name: Give it a descriptive name
  2. ✅ Good: "Production OpenAI Key"
  3. ✅ Good: "Development GPT Key"

  4. ❌ Avoid: "Key1" or "MyKey"

  5. API Key Value: Paste your key from the provider

  6. Always copy from the official provider website

  7. Never share keys in chat, email, or documentation

  8. Description (optional): Note what this key is used for

  9. "Main production chatbot"
  10. "Development testing only"

4. Test the Connection

  1. RunForge will automatically test the key
  2. You'll see a ✅ success or ❌ error message
  3. If it fails, double-check the key and try again

Getting Keys from Each Provider

OpenAI API Keys

  1. Sign in to platform.openai.com
  2. Go to API Keys: Click your profile → "View API keys"
  3. Create Key: Click "Create new secret key"
  4. Name it: Give it a recognizable name
  5. Copy immediately: You won't be able to see it again
  6. Set usage limits: Consider setting monthly limits

OpenRouter API Keys

  1. Sign in to openrouter.ai
  2. Go to Keys: Click your profile → "Keys"
  3. Create Key: Click "Create Key"
  4. Configure: Set limits and permissions if needed
  5. Copy the key: Save it securely

Anthropic API Keys

  1. Sign in to console.anthropic.com
  2. Go to Keys: Navigate to "API Keys"
  3. Create Key: Click "Create Key"
  4. Set permissions: Choose appropriate access levels
  5. Copy and save: Store securely

Managing Ingest Keys

What Are Ingest Keys?

These special keys let your applications send usage data to RunForge. Each project gets its own ingest key.

Finding Your Ingest Key

  1. Select your project from the project dropdown
  2. Go to SettingsAPI Keys
  3. Look for "Ingest Key" or "RunForge API Key"
  4. Copy the key: Use the copy button to get the full key

Using Ingest Keys in Your Code

Never put keys directly in your code. Use environment variables:

For TypeScript/JavaScript: 

# In your .env file
RUNFORGE_API_KEY=your-ingest-key-here
RUNFORGE_PROJECT_ID=your-project-id-here

For Python: 

# In your .env file
RUNFORGE_API_KEY=your-ingest-key-here
RUNFORGE_PROJECT_ID=your-project-id-here

SDK Configuration

TypeScript/JavaScript: 

const runforge = new RunForge({
  apiKey: process.env.RUNFORGE_API_KEY!,
  projectId: process.env.RUNFORGE_PROJECT_ID!,
  endpoint: 'http://localhost:3000/api/ingest'
})

Python: 

import os
rf = RunForge(
    api_key=os.environ['RUNFORGE_API_KEY'],
    project_id=os.environ['RUNFORGE_PROJECT_ID'],
    endpoint='http://localhost:3000/api/ingest'
)

Security Best Practices

Key Storage

✅ Do This: - Store keys in environment variables - Use secret management services (AWS Secrets Manager, etc.) - Keep keys out of version control (use .gitignore) - Use different keys for development vs production

❌ Never Do This: - Put keys directly in source code - Commit keys to GitHub/GitLab - Share keys in chat or email - Use production keys for development

Key Rotation Schedule

Monthly: For high-security applications Quarterly: For most business applications
Yearly: For low-risk personal projects Immediately: If a key is compromised

Monitoring Key Usage

Watch for these warning signs: - Unexpected costs: Someone might be using your keys - Unusual patterns: Calls from unknown locations/times - Rate limit hits: Excessive usage beyond normal patterns - Error spikes: Might indicate unauthorized access attempts

Rotating API Keys

When to Rotate Keys

  • Scheduled rotation: Every 3-6 months
  • Team member changes: When someone leaves
  • Security incident: If keys might be compromised
  • Best practice: Before major deployments

How to Rotate Keys Safely

Step 1: Create New Key

  1. Go to your provider (OpenAI, OpenRouter, etc.)
  2. Create a new API key
  3. Test it in a development environment
  4. Confirm it works with your applications

Step 2: Update RunForge

  1. Go to SettingsAPI Keys in RunForge
  2. Click Edit next to the old key
  3. Replace the key value with the new key
  4. Test the connection
  5. Save the changes

Step 3: Update Your Applications

  1. Update environment variables with the new key
  2. Restart your applications
  3. Monitor for any issues
  4. Verify tracking is still working

Step 4: Deactivate Old Key

  1. Wait 24-48 hours to ensure everything works
  2. Go back to your provider
  3. Delete or deactivate the old key
  4. Confirm your applications still work

Zero-Downtime Rotation

For critical applications: 1. Add the new key alongside the old one 2. Update half your applications to use the new key 3. Monitor for issues for 24 hours 4. Update remaining applications 5. Remove the old key after confirming success

Troubleshooting API Key Issues

"Invalid API Key" Errors

Common causes: - Key was typed incorrectly (common with copy/paste) - Key has been deactivated by the provider - Key has expired or hit usage limits - Wrong key for the selected provider

Solutions: 1. Double-check the key: Copy directly from provider 2. Check provider dashboard: Ensure key is active 3. Verify limits: Make sure you haven't hit usage caps 4. Test with a simple call: Use provider's testing tools

Keys Not Saving

Possible issues: - Network connection problems - Browser storage issues - Invalid key format - Insufficient permissions

Solutions: 1. Refresh the page and try again 2. Clear browser cache and cookies 3. Try a different browser 4. Check your internet connection 5. Contact support if problems persist

Tracking Not Working

Check these items: - Is the ingest key correct in your application? - Is the project ID correct? - Is your application actually making AI calls? - Are you looking at the right time period on the dashboard?

Unexpected Costs

Immediate steps: 1. Check recent activity in your provider dashboard 2. Review your application logs for unusual patterns 3. Rotate your keys immediately if suspicious 4. Set usage limits in your provider account 5. Monitor closely for 24-48 hours

Key Management Checklist

Initial Setup

  • [ ] Create keys with descriptive names
  • [ ] Test each key after creation
  • [ ] Store keys securely (environment variables)
  • [ ] Document which keys are used where
  • [ ] Set usage limits in provider accounts

Ongoing Management

  • [ ] Review key usage monthly
  • [ ] Rotate keys quarterly (or per your schedule)
  • [ ] Monitor for unusual activity
  • [ ] Update documentation when keys change
  • [ ] Remove unused or old keys

Security Audit

  • [ ] Are any keys in version control? (Fix immediately)
  • [ ] Do all keys have appropriate usage limits?
  • [ ] Are development and production keys separate?
  • [ ] Do departing team members have key access? (Rotate)
  • [ ] Are keys shared in insecure ways? (Rotate)

Next Steps