Skip to main content

Authentication

LLMTune uses workspace-scoped API keys for programmatic access. All API requests require authentication using a Bearer token in the Authorization header.

Creating an API Key

  1. Navigate to API Keys in the LLMTune dashboard.
  2. Click Create API Key.
  3. Give your key a descriptive name (e.g., production-backend, staging-testing).
  4. Copy the generated key immediately – you won’t be able to see it again.
Your API key will look like: llmtune_sk_...

Using an API Key

Include the key as a Bearer token in the Authorization header: 
Authorization: Bearer YOUR_API_KEY

Example Request

curl https://api.llmtune.io/v1/models/meta-llama/Llama-3.3-70B-Instruct/inference \
  -H "Authorization: Bearer llmtune_sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Hello, world!",
    "temperature": 0.7
  }'

Workspace Scoping

API keys are scoped to your workspace:
  • All keys in a workspace share the same resources (datasets, models, deployments)
  • Keys grant access to all workspace features (inference, fine-tuning, deployment, etc.)
  • Usage is tracked per key for analytics and debugging

Security Best Practices

Store Keys Securely

  • Never commit API keys to version control
  • Use environment variables to store keys
  • Use secret managers (AWS Secrets Manager, HashiCorp Vault, etc.) in production

Rotate Keys Regularly

  • Rotate keys periodically (e.g., every 90 days)
  • Rotate immediately if a key is compromised
  • Update integration environments with new keys before deleting old ones

Use Separate Keys

  • Different keys per environment – Use separate keys for staging and production
  • Different keys per service – Use different keys for different backend services
  • Different keys per team – Use different keys for different teams or projects

Restrict Access

  • Delete unused keys from the dashboard to reduce exposure
  • Monitor key usage in the Usage dashboard
  • Revoke compromised keys immediately

Key Management

Viewing Keys

  • See all your API keys in the API Keys section of the dashboard
  • View key metadata (name, created date, last used)
  • Note: You cannot view the key value after creation

Revoking Keys

  1. Go to API Keys in the dashboard
  2. Find the key you want to revoke
  3. Click Revoke or Delete
  4. Confirm the revocation
Revoked keys cannot be used for new requests. Existing requests in progress may complete, but new requests will fail with 401 Unauthorized.

Error Responses

Invalid or missing API keys return: 
{
  "error": {
    "message": "Invalid API key",
    "code": "UNAUTHORIZED"
  }
}
HTTP status: 401 Unauthorized

Next Steps